Google Apps MarketplaceAuthentication and Authorization Overview
Authentication for Marketplace Apps
OpenID for SSO; or Google Account Password
OpenIDDistributed SSO for web-wide identity
Direct Interaction between the OpenID Provider (i.e. Google) and the Relaying Party (i.e. Marketplace Apps)
User-Centric
Uniform User Experience
The Identity Provider retains full control over the User Authentication Credentials
The relaying party (Marketplace App) doesn’t have to worry about the managing the user’s accounts
It is a skeleton key for a number of accounts you have on the web. – Chris Messina
Authentication with OpenID Most Marketplace App supports OpenID
This allows you to be the Identity Provider, if you choose to be (using SAML).
Google will be the OpenID Provider If you currently utilize SAML based authentication
for Google Apps, you will be the Identity Provider If you login into Google Apps using your Google
Password, Google will be the Identity provider
Authenticating using the Google PasswordCertain Marketplace Apps require the users to login using their Google Password. These are mostly apps that get installed on the user’s desktop Issues: The app may use unsecure channel to transmit the
credentials The “remember me” may store the password
unencrypted The credentials may be used for unauthorized accessRecommended Approach:Drive OAuth adoption for authorizing installed apps to access data residing in the Google Cloud
Authorization using OAuth OAuth is an open protocol that allows an installed app
to access end user information from a Google Account without requiring the user to enter their credentials into the app or storing the credentials on the device.
Google utilizes OAuth for granting 3rd party applications the access to data residing in user’s Google Account (e.g. GDocs, Gmail, GCal etc)
OAuth provides for Delegated service authorization Full user control over authorized services
Where do Marketplace Apps store the data?
Data Storage for Marketplace Apps
Google Cloud
User’s Google Account
e.g. ManyMoon
Google App Engine
e.g. GQueues
3rd Party Cloud
AWS
e.g. WatchDox stores DRMed
document in AWS
Private Cloud
e.g. Kwaaga
user
OpenID Provider(Google)
Auth
enti
cate
s
Google Marketplace Apps
(Relying Party)
Data Stored in Google
Cloud
May A
ccess
OpenID Identifier (URI/XRI)
Relies On
Installed Apps
To Access
Use
s
To Authorize