This has been live on our servers for a while, but is now announced and open for general use. Here’s the short version: If you have an Android app and a web-server back-end, you can authenticate the person using the app to your back-end securely, efficiently, and with no prompts or passwords.
I’m pretty happy with this, and think that app developers who can use this should. Because your server really has to know who it’s talking to, but there are few things less friendly to a person using a mobile device than making them type passwords.
The long version is a multi-step recipe, but nothing about it is actually difficult. I’m not going to revisit the recipe, but here are a few sidelights worth noting.
OAuth and OpenID · This is based on the OAuth 2 code that’s already built into the our back end and Google Play services. Which I think highlights what OAuth 2 really is: Not a real Internet Protocol like HTTP or SMTP, but a framework that you can use to build useful pieces of authentication and authorization machinery.
The technique is based on using an ID Token, a notion that actually comes out of OpenID Connect. So thanks to those people for cooking up this useful thing. We probably can’t claim that this is OpenID Connect-compliant, because, well, OIDC isn’t finished yet. But it probably will be eventually.
Limitations · This isn’t for 100% of everybody. It won’t work for you if:
You don’t want to use any of the Google accounts on the device, or
You’re on a device that doesn’t have Google Play or is running a version of Android older than 2.2 (Froyo).
Lots of developers want to support really old devices and also things like Kindles and Nooks. I suspect that the user experience in doing identity this way is superior enough that those people should probably implement this anyhow for the people that can use it, and fall back to old-fashioned passwords or whatever for the rest.
Account Selection Tricks · Every piece of code I’ve seen that talks about using Google identities on Android begins with a callout via the AccountPicker class to show a list of the accounts on the device and ask the person holding it to pick one.
But I think that can often be dodged. To start with, lots of devices have just one account; in which case you can just use it. Another option, if there’s more than one, is to (don’t laugh) just pick the first one and run with that. I do that in my LifeSaver application and nobody’s complained yet.
And if you must make them pick an account, remember it in a SharedPreferences or something for next time, so it’s a one-time tax.