on February 10th, 2006 at 11:26 am
X-GOOGLE-TOKEN and why it doesn't matter as much as I first thought
Last week, dJOEk posted an article titled The Mysteries of X-GOOGLE-TOKEN and why it matters. He writes, "This is basically the foundation of a Single Sign-On (SSO) solution by Google!"
Well, that's a pretty exciting statement. He outlined a way of having a service use Google for authentication without giving your password to a third party. That's a requirement for an authentication scheme which some sites currently violate. (As he says, "Danger, Will Robinson!") So this sounds pretty cool. I bookmarked it, as did a lot of other people, and it got more attention when Phil Windley linked to it, saying "With no fanfare at all, Google has created a universal login for anyone who wants to use it."
Well, no, they haven't quite. This isn't really emphasized until you get down into the comments on dJOEk's post, but that token that you're authenticating to the third party with -- the thing you're giving them instead of your google password -- allows them to log in to Google Talk. This may not be quite so bad as giving them your password, or maybe it is.
I'm writing this post as means of apology for initially labelling my bookmark "Authenticate with your Google account without giving your password to a third party using the Google Token." No, don't do that, really. As dJOEk says, this is perhaps a foundation for a single sign-on service from Google, but it's not there yet. Never give your password to a third party, and you probably shouldn't give them an equivalent login token either.
For the time being, if you want a secure universal authentication service for web applications, OpenID is a better choice.