What is this "Sign in to <sitename> using Google prompt called? - google-signin

I've recently been seeing this all over the web these days:
Earlier we used to have sign in with Google, Facebook, Twitter, etc., buttons using OAuth and what not but this something new as this is very much aware of all the accounts that you are logged in with on Google in your browser and all you have to do is to just click the click on the one you want to use.
I am curious to know what is this called, What technologies does it use and how can I incorporate this into my own websites?

Google uses OAuth 2.0 only for third-party authentication using its accounts.
But the JS that is responsible for initiating this flow is improvised. It now detects the state of signin, and shows the list of accounts that are already logged-in or were logged-in at this device. The user selects one of the accounts, and from there the sign-in process is the same standard OAuth flow.
Reference:
https://developers.google.com/identity/sign-in/web/sign-in
https://developers.google.com/identity/sign-in/web/session-state

Related

Can you tell if Google sign-in had 2fa?

On a web app using Sign-in with Google, I want to know if Google had let the user in with 2fa challenge or without and decide to present a 2fa challenge to the user if they have not. Is there a way to know that?
Failing that, is there a way to tell if the user has 2fa enabled on their Google account or not (regardless of it being part of the most recent login session)?
Google doesnt tell you if the user has 2fa enabled on their account or not.
The only information you are going to get back from a google sign in is if it went though or not.

Google calendar api authentication in Google Actions

I want to be able create calendar events in my Action that runs through Google Assistant.
Right now I was able to modify this Quickstart guide (https://developers.google.com/calendar/quickstart/nodejs) and use it in my current Dialogflow fulfillment. However, it's a little tedious to have the user have to copy and paste the authentication code after allowing Google Calendar access. Are there any better ways to do this that doesn't require the copy-paste flow? Thanks in advance!
Use Account linking with Google Sign-In
https://developers.google.com/actions/identity/google-sign-in
Then send a card to the user device with a link to authorise Google Calendar access. Store the authentication code securely against the user. Use the authentication code to make requests.
Broadly speaking, the approach you can take is to use Google Sign-In, as outlined in this SO answer: Google Home Authorization Code and Authentication with Google Account.
With this scheme, you use a website to get the user to authorize your use of the Calendar API scope, and you store the auth token against their UserID. Then you use Google Sign-In with the Assistant to get that ID. This works well if they go to your web page first, but not as well if they go to the Assistant first.
You can also setup an OAuth server that lets users sign-in using Google Sign-In on a web page (or use something like Auth0 and, as part of that sign-in, get authorization for the Calendar scope. Then use OAuth Account Linking in the Google Assistant to get an auth token which you can use to get the user's ID. You can then use this ID to lookup the authorization token.

Google Sign-In: Keeping user signed out if he/she signs out elsewhere

I use Google Sign-In in order to let my users connect their Google Calendar and related services to our web app. The problem is that if a user signs out of her connected account somewhere else, this will revoke access from our app as well.
I understand that this is primarily a user issue, but several of them still expect their Google integration with our app to work even if they are not signed in to the account in question.
Is there any way at all we can achieve this? Does Google Sign-In have something akin to a Refresh Token which will allow us to create a new session even if the user has signed out?
After trying multiple approaches, we came to the conclusion that this simply is not possible. You should NOT use Google SignIn if you need persistent access to a users profile until he/she manually revokes it. The natural choice for that is plain oauth2.

Google+ sign in and ASP.NET forms authentication, how do I sign out?

I have an ASP.NET MVC application which uses Google+ sign-in to authenticate the user. The flow is as follows;
User accesses controller action decorated with [Authorize]
attribute, forms authentication is configured so the user is
forwarded to the log in page.
User clicks the Sign In with Google+ button and the server side flow is initiated as per guide
Server receives the Google tokens which are used to authenticate the user, logging them in and returning the standard asp.net auth cookie in the response. The user can then access the site with the cookie.
Now, if I go through the usual asp.net forms log out process of clearing the user's cookie/session there's a problem. If they attempt to access the application after they've logged out but are still signed into a Google product in another tab, they'll be re-directed to my login page. The Google+ sign-in button will automatically sign them back in again initiating the whole sign in process and getting a brand new asp.net cookie!! The only way to truly sign out is to ensure you are not signed into any Google products still and then attempt to sign out. Not exactly user friendly. I guess the same thing happens with all Google products, if I'm signed into Gmail and open Docs, I'll get signed in automagically. The difference being if you sign out of one, you'll sign out of all Google products. I think.
There is currently not a supported means of logging the user out from your site. What you can do is force the user to click the Google+ Sign-In Button before they will be authorized unless you have set a cookie on their client indicating they are signed in (or enrolled, if you want to distinguish between the sign-in action and being signed-in). You can look at this question:
how do i sign user out of my app?
or this question:
Preventing automatic sign-in when using Google+ Sign-In
for discussions on this topic on stack overflow and answers to similar questions.

Google Calendar API . Can I write to a users calendar when the user isn't logged in?

This may seem like a totally idiotic question but I am looking at writing a web app/service that will utilize google's calendar API's and I needed to see if I have the ability to write to a users calendar when the user isn't logged into there google account. I couldn't find any clear documentation that illustrated whether or not I could do this or not. I pictured the authorization process something the user agrees to when they sign up for my site and then my app can go add things to there google calendar. Does anyone know if this is possible? If so, can someone hook me up with a link that illustrates how that works?
Thanks in advance
You're thinking about "logged in" wrong.
Because web connections don't persist between requests, any web-site or web-service is checking headers such as the Authorization header and/or Cookie header (depending on what authorisation method is used), with each and every request and matching the request to a user.
Hence logging in* means that the web client (browser or whatever) is set to use the details that relate to a particular user in making the request.
When you use the API, the authorisation information you send, is performing the same job. As such, when the user is using your API they are logged in through your API, whether they're logged in through a web page or other application or not.
E.g.:
My web browser is currently logged into google to an account I use for work stuff.
My mail client is logged into google calendar to an account I use for private stuff.
When I look at google calendar, I see that I don't have any calendars (I don't use it on my work account).
When I look at Thunderbird, I see my calendars.
If I peek at the traffic being sent by the browser and mail client, on both I see headers like:
Authorization: GoogleLogin auth=...stuff I'm not going to share or it would help you impersonate me
So, I'm "logged in" on Thunderbird because the code using the API logs me in itself.
Indeed, the same application can access multiple accounts and be "logged in" to all of them, as long as it has the authentication details to do so.
*Strictly, some would argue that "logged in" isn't the correct term at all, and refers to different sorts of access mechanism where there is state on the connection. Whatever about that opinion, we use the metaphor of being or not being logged in, because users understand it.
The answer to your question is yes. Use OAuth 2 and the Authorization Code flow (web server flow), with offline enabled. Store the refresh tokens (which last indefinitely until the user has revoked), and you'll be able to upload events to Google Calendar even when the user isn't currently logged in.
More info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Credits to Ryan Boyd for this note.

Resources