Google Apps MarketplaceAuthentication and Authorization Overview

Authentication for Marketplace Apps

OpenID for SSO; or Google Account Password

OpenIDDistributed SSO for web-wide identity

Direct Interaction between the OpenID Provider (i.e. Google) and the Relaying Party (i.e. Marketplace Apps)

User-Centric

Uniform User Experience

The Identity Provider retains full control over the User Authentication Credentials

The relaying party (Marketplace App) doesn’t have to worry about the managing the user’s accounts

It is a skeleton key for a number of accounts you have on the web. – Chris Messina

Authentication with OpenID Most Marketplace App supports OpenID

This allows you to be the Identity Provider, if you choose to be (using SAML).

Google will be the OpenID Provider If you currently utilize SAML based authentication

for Google Apps, you will be the Identity Provider If you login into Google Apps using your Google

Password, Google will be the Identity provider

Authenticating using the Google PasswordCertain Marketplace Apps require the users to login using their Google Password. These are mostly apps that get installed on the user’s desktop Issues: The app may use unsecure channel to transmit the

credentials The “remember me” may store the password

unencrypted The credentials may be used for unauthorized accessRecommended Approach:Drive OAuth adoption for authorizing installed apps to access data residing in the Google Cloud

Authorization using OAuth OAuth is an open protocol that allows an installed app

to access end user information from a Google Account without requiring the user to enter their credentials into the app or storing the credentials on the device.

Google utilizes OAuth for granting 3rd party applications the access to data residing in user’s Google Account (e.g. GDocs, Gmail, GCal etc)

OAuth provides for Delegated service authorization Full user control over authorized services

Where do Marketplace Apps store the data?

Data Storage for Marketplace Apps

Google Cloud

User’s Google Account

e.g. ManyMoon

Google App Engine

e.g. GQueues

3rd Party Cloud

AWS

e.g. WatchDox stores DRMed

document in AWS

Private Cloud

e.g. Kwaaga

user

OpenID Provider(Google)

Auth

enti

cate

s

Google Marketplace Apps

(Relying Party)

Data Stored in Google

Cloud

May A

ccess

OpenID Identifier (URI/XRI)

Relies On

Installed Apps

To Access

Use

s

To Authorize