tsengketurn wrote
on February 10th, 2006 at 11:26 am
Previous Entry Share Next Entry

X-GOOGLE-TOKEN and why it doesn't matter as much as I first thought

Last week, dJOEk posted an article titled The Mysteries of X-GOOGLE-TOKEN and why it matters. He writes, "This is basically the foundation of a Single Sign-On (SSO) solution by Google!"

Well, that's a pretty exciting statement. He outlined a way of having a service use Google for authentication without giving your password to a third party. That's a requirement for an authentication scheme which some sites currently violate. (As he says, "Danger, Will Robinson!") So this sounds pretty cool. I bookmarked it, as did a lot of other people, and it got more attention when Phil Windley linked to it, saying "With no fanfare at all, Google has created a universal login for anyone who wants to use it."

Well, no, they haven't quite. This isn't really emphasized until you get down into the comments on dJOEk's post, but that token that you're authenticating to the third party with -- the thing you're giving them instead of your google password -- allows them to log in to Google Talk. This may not be quite so bad as giving them your password, or maybe it is.

I'm writing this post as means of apology for initially labelling my bookmark "Authenticate with your Google account without giving your password to a third party using the Google Token." No, don't do that, really. As dJOEk says, this is perhaps a foundation for a single sign-on service from Google, but it's not there yet. Never give your password to a third party, and you probably shouldn't give them an equivalent login token either.

For the time being, if you want a secure universal authentication service for web applications, OpenID is a better choice.

(Leave a comment)
Date:2006-02-11 01:24 pm (UTC)


hi acapnotic

thanks for clarifying this bit, maybe i wasn't quite as clear ion my original post.

How I see this being used is that google gives you a piece of copypaste JS code, like adsense or analytics, then it gives you a username and password box that sends your data to Google over HTTPS. As a result you as a webmaster would get the username and the token which you can use in your XMPP/Gtalk auth
If you get a correct authentication response, you declare the user in that session logged in.

there are a lot of possibilities here: google users are user@server.com/resource where resource is the service you used, say, the name of some blog: acapnotic@gmail.com/dystopics would mean that you are logged in to my blog. you'd receive IMs if someone replies to your comment, of for example on forums, you get one if you get a reply to your thread.

I'm just going off on a wild rant here as nothing is actually there now, but i'm sure this is well within reach.

(Reply) (Thread)
Date:2009-10-06 09:08 pm (UTC)


why is OpenID a better choice? ain't it the same idea ? If I give my OpenID token, people have access to anything my OpenID can open.

(Reply) (Thread)
Date:2009-10-08 09:33 pm (UTC)

Re: why?


If you log in to my site -- e.g. FreePinkCupcakes.example.com -- with your OpenID frank.livejournal.com, the only thing you're giving to FreePinkCupcakes is the information that you are logged in with that name. (Plus, if you choose, maybe a few extra tidbits like your preferred username and email address.) There's nothing in that message that lets FreePinkCupcakes go in and post livejournal blog entries in your account, or access your chat contacts, or anything else.

I think "If I give my OpenID token, people have access to anything my OpenID can open." is a very misleading statement. But you're an anonymous commenter who's just turned up on a three-and-a-half year old blog post, so I'm not really sure how to follow up on that.

(Reply) (Parent) (Thread)

(Leave a comment)