Cross-Platform SSO technology

May 15, 2013


Link copied to clipboard
Author Photo
By Tim Bray, Google Identity Team

During the Android portion of the Google I/O keynote, we showed Cross-Platform Single Sign-On; the effect was that for Wallet and Google+ users, signing in to a Web browser resulted in automatic download of, and sign-in to, an Android app.

To support this, we have introduced general-purpose API tools which allow developers to achieve cross-client authentication and authorization, in particular between Android and Web apps.

Not having to sign in repeatedly feels so natural for users that they don’t even notice it. But as more and more apps deploy this sort of magic, you don’t want to be the hold-out that’s pestering users for passwords on Web sites or, worse, on tiny mobile-device keyboards.

On the Android side, client libraries like PlusClient, GamesClient, and WalletClient have “connect” methods that take care of this as automatically as possible; they check whether any of the accounts on the phone have already been authorized for access to the service in question, conduct sign-in if necessary but avoid it if possible, and when they return to your code, everything’s all set up.

If you’re writing server-side code and using libraries like Google+ Sign-In, once again, all the right things happen automatically; when you start accessing the service, the software imposes the minimum necessary pain on the user, ideally zero, and lets you get to work.

Of course, some people want less automation, and finer control over how things work. If you want to access our services at the HTTP level rather than via a library, or to deal with multiple accounts on an Android device in a customized way, you can do these things and in most cases still deliver the no-sign-in magic.

Of course, this involves working with HTTP message flows, validating tokens, and securing shared secrets. This may sound intimidating but will be straightforward for one well-versed in HTTP-level Web programming. If you’re one of those, check out the low-level protocols and APIs that support this, in “Cross-Client Identity”.

The time is now to start moving your apps towards a sign-in-free future.


Tim says: By day, I help in the struggle against passwords on the Internet.
The rest of my life is fully documented on my blog.


Posted by Scott Knaster, Editor