Is there a way to have a 'Google Sign In' button for google accounts that are not signed up with Google Plus?

StackOverflow https://stackoverflow.com/questions/23221731

  •  07-07-2023
  •  | 
  •  

Question

I'm working on an internal website for the company I work for. The website will be only available to company staff. We use Google Apps for Business, so we would like authentication to be done using our google accounts.

I've gone through 'google sign in' samples from here: https://developers.google.com/+/ It works, but the problem we run into is that it requires the user to sign up to Google+. This is a speed bump we would prefer not to have.

Are there any ways around this? Thanks.

Was it helpful?

Solution

It shouldn't be too hard to roll your own sign in using the lower levels of Oauth, eg 'email' scope. It's hard to give a more specific answer because it depends on your architecture (eg. are you predominantly server-side or client-side) and what kind of session do you want to create by the sign in process. For example, if you are client/REST based, you probably don't want any session at all as REST encourages statelessness. On the other hand, if you are more web based, serving static pages, you will want a session.

In simple terms, you will be doing something that generates an access token, and then processing that access token to determine the email address (or Google ID) of the person who created it. You will then establish some sort of session (eg. using session cookies) that identifies future requests from that user.

Feel free to add some more detail to your architecture and I'll try to finesse the answer.

For simple http servlet sessions, it will be something like.

  1. User requests a protected page

  2. servlet detects that there is no session and/or session has no authenticated user

  3. servlet redirects to an Oauth page to request an access code. something like

    https://accounts.google.com/o/oauth2/auth?redirect_uri=xxx&response_type=code&client_id=zz&approval_prompt=auto&scope=email
    NB research the exact URL, don't rely on this to be exact

  4. If the user isn't logged on, he'll be prompted; if he has multiple logins, he'll be prompted; if he hasn't yet granted email access, he'll be prompted. If none of these conditions are met (the normal case) he won't see anything.

  5. Browser will redirect to the redirect_uri, carrying an access token (or an auth code if this is the first time the user has used the app)

  6. Post the token to the Google userinfo endpoint, and you will receive a decode containing the email address

  7. Store the email into a session object (or retrieve your own user object and store that)

  8. redirect back to the originally requested page. You can use the OAuth state parameter to pass that around

    et voila. all future page requests from that user will be within a session containing some user identification.

NB This is just an outline and I may even have missed a step. You will still need to do your own OAuth research.

OTHER TIPS

Apparently not:

(..) if a Google user who has not upgraded to a Google+ account clicks on the Sign in with Google+ button, the same consent dialog that opens will take the user into an account upgrade flow.

Weirdly the docs for OAuth2 states:

Google+ Sign-In works for all users with a Google account, whether or not they have upgraded to Google+.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top