Identifying the User

Published on

This page tells you how to get the Google Account identity of a user, using Google's OpenID endpoint. You need this identity if you support Chrome Web Store Payments, because payment information is tied to the user's Google Account.

Even if you don't use Chrome Web Store Payments, consider using Google Accounts if your app needs a login system. Google Accounts can help you provide a better user experience, since users of the Chrome Web Store are likely to be logged in already, and they won't have to set up and remember yet another username and password.

When to support Google Accounts #

The following table summarizes when you should support Google Account logins using OpenID.

App costPayment plan/systemSupport for Google Accounts (using OpenID)
PaidChrome Web Store Payment SystemRequired
The Licensing API relies on Google Account user IDs.
PaidCustom payment solutionRecommended
Users from the Chrome Web Store will have a better experience if you support the Google Account that they're already logged into.
FreeYou might charge for the app in the futureRecommended
Supporting Google Accounts might make adding payments simpler.
FreeNo plans to charge for the app in the futureOptional
If you want to identify individual users, Google Accounts are a reasonable way to do so.

How to use OpenID with Google Accounts #

To get the user's OpenID URL, you query Google's OpenID service. If the user isn't already logged in, the user will be prompted to sign in with a Google-provided login page or popup.

Note: The OpenID URL is unique for a specific Google Account and a specific app. If you publish multiple apps, the same user will have a different OpenID URL for each app.

Here's what the login page looks like. Note that it has a Google URL, not a URL from the app's site:

The Google login page.

If you're writing a hosted app with Google App Engine, supporting Google Accounts is easy. You just use the default Google Accounts API authentication and the Users service. For details, see the user authentication docs (for Java or Python). Here's an example (taken from the Licensing API tutorial's HelloLicenseServlet.java file) of the code you use to get the current user's OpenID URL if you're implementing a Java app with Google App Engine:

UserService userService = UserServiceFactory.getUserService();

if (userService.isUserLoggedIn()) {
User user = userService.getCurrentUser();
/* ...Do something with user.getFederatedIdentity(), which is the OpenID URL. */
}

If you aren't using Google App Engine, you can get the Google OpenID endpoint by sending a request to https://www.google.com/accounts/o8/id. See Federated Login for Google Account Users for details.

How to skip the OpenID approval screen #

the Google Accounts approval page

Normally, the first time your app uses the Google OpenID endpoint to authenticate a particular user, the user must approve your access to their account. To the right, you can see a typical OpenID approval screen.

Your users will have a better experience if they never see the approval screen. The screen is skipped if both of the following are true:

  • Your app requests only the OpenID URL. If your app requests something else—the user's email address, for example—the approval screen is shown.
  • You specify your app's OpenID realm in the Edit page.

Here's how to specify your OpenID realm:

  1. In the Chrome Developer Dashboard, go to the Edit page for your app.
  2. In the OpenID section, select the checkbox.
  3. In the text field that appears, enter the realm that your app will use to query Google's OpenID service.
    This must be exactly the same as the value of the openid.realm field in your authentication requests.
  4. Save your changes.
    They'll take effect the next time you publish your app.

If your app's code doesn't specify the value of the openid.realm parameter, look at your OpenID library to see how it sets that value. For details on how openid.realm is used, see Request parameters in the Google OpenID documentation.

OpenID resources #

You should use an existing OpenID library rather than implement your own. In addition to Google App Engine's Users service, you can find OpenID libraries in a number of languages. Here are a few libraries we've used:

You can find more libraries at Janrain's OpenID Enabled, and a full list at the OpenID Foundation.

The following pages have detailed explanations of how to use OpenID with Google Accounts:

What next? #

If you're using the Licensing API, your next stop is Checking for Payment. Otherwise, go on to Supplying Images.

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.