Google+ Sign-In: Federated Identity, Authorization and Semantic Activity Streams
Google+ Sign-In extends the Google+ social network into third-party websites, desktop applications and mobile apps, and further cements Google's position as an identity provider alongside others such as Twitter and Facebook. The new service, announced on February 26th, provides features for authentication, authorization and activity sharing. There is additional support for user engagement, hangouts and automatic Android app downloads.
While discussion of the new service has been dominated by a perceived rivalry with Facebook, from a technical perspective it's useful to look under the covers at the Google+ API to see how the new features work and understand some of the standards that are being put to use.
A simple [g+ | Sign In] button provides the entry-point into a third-party web-page, desktop or mobile application. This kicks off a process that starts with the application requesting an access token for the user's Google+ profile. The orchestration is accomplished either in the web-browser via the client-side flow, or via back-end API operations using the server-side flow. If the user hasn't already authenticated with Google+ then authentication is executed as part of the sign-in. The user is also prompted for the level of access they wish to give to the third-party application. Access levels, or scopes can include:
- userinfo.email: provides only the user's email address
- plus.me: provides the user's Google+ profile information
- plus.login: extends the other scopes by allowing access to circles and the ability to write activities to the user's Google+ activity stream
This access orchestration is a combination of authentication and authorization which follows the OpenID Connect draft standard which itself is based on the recently ratified OAuth 2 protocol. Authentication is handled completely within Google's authentication system and does not involve the third-party application. OpenID Connect layers authentication over the OAuth authorization protocol, effectively authenticating the user to the third-party application by granting access to the user's Google+ profile. Nat Sakimura, Chair of the OpenID Foundation and a co-author of OpenID Connect, provides a good description of the difference between OpenID, OAuth and OpenID Connect and how applications use services like Google+ Sign-In to verify the identity of a user requesting access.
Users can review their application authorizations using their App settings page where they may revoke access or change their sharing settings.
The third-party application may now use its access token to manage in-application activities within the Google+ API. Google refers to these activities as "Moments" and the Google+ API provides a simple CRUD interface to insert, list and delete moments. Moments come in different flavours, called ActivityTypes. All activities have a name, description and thumbnail, plus an itemtype which is the subject of the activity. Itemtype must be a sub-type of a schema.org "Thing", for example a Book, Place or Person. In addition, items must have a URL reference to an HTML page containing schema.org markup for the relevant item. In this way, Google+ integration encourages the development of a "semantic web" of structured markup which is also useful to search engines. The list of activities is quite comprehensive:
- AddActivity: is a generic activity with itemtype, name, description and thumbnail.
- BuyActivity: represents the purchase of an item.
- CheckinActivity: represents a user checking-in from a place and carries additional attributes for address and geolocation.
- CommentActivity: is appropriate when a user comments on a blog post, book or other creative work.
- CreateActivity: for when a user creates a creative work.
- DiscoverActivity: for when a user discovers a creative work.
- ListenActivity: represents a user listening to a musical recording and provides additional attributes for song, album and artist meta-data.
- ReserveActivity: signifies the user making a reservation at a local business such as a restaurant or hotel.
- ReviewActivity: is a review of an item along with rating information.
- WantActivity: indicates that a user wants an item, for example if they add the item to a wishlist in the application.
The representation and dissemination of these moments into Google+ activity streams is all handled by Google+ based on the user's authorization settings.
This brief review only scratches the surface of the new Google+ features launched with Sign-In, but provides an interesting example of new authentication and authorization standards as well as the extension of semantic markup into social activity streams.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015