Posted innews

https //www.google.com/device : Sign-In on TVs and Limited Input Devices

5

https //www.google.com/device : Sign-In on TVs and Limited Input Devices

You can let users sign in to your app with their Google accounts on devices at www.google.com/device with limited input capabilities, such as Internet-connected TVs.

The app displays a short code and sign-in URL to the user. Then, the user opens the sign-in URL in a web browser, enters the code, and grants the app permission to access the user’s sign-in information. Finally, the app receives confirmation and the user is signed in.

To use this sign-in flow, the app must run on a device that meets the following criteria:-

  • The device must be capable of displaying a 40-character URL and a 15-character user code, along with instructions to the user.
  • The device must be connected to the Internet.

Your app needs an OAuth 2.0 client ID and client secret to make requests to Google’s sign-in endpoints.

To find your project’s client ID and client secret, do the following:

  1. Select an existing OAuth 2.0 credentialย or open theย Credentials page.
  2. If you haven’t done so already, create your project’s OAuth 2.0 credentials by clickingย Create credentials > OAuth client ID, and providing the information needed to create the credentials.
  3. Look for theย Client IDย in theย OAuth 2.0 client IDs section. For details, click the client ID.

If you are creating a new client ID, select theย TVs and Limited Input devices application type

Once a user requests to sign in using a Google Account, you obtain a user code and verification URL by sending an HTTP POST request to the OAuth 2.0 device endpoint,ย https://oauth2.googleapis.com/device/code. Include your client ID and a list of the scopes you need with the request. If you only want to sign in users with their Google accounts, request only theย profileย andย emailย scopes; or, if you want to request permission to call aย supported APIย on behalf of users, request the required scopes in addition to theย profileย andย emailย scopes.

The following is an example request for a user code:

POST /device/code HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded

client_id=CLIENT_ID&scope=email%20profile

Usingย curl:

curl -d "client_id=CLIENT_ID&scope=email profile" https://oauth2.googleapis.com/device/code

The response is returned as a JSON object:

{
ย  "device_code" : "4/4-GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8",
ย  "user_code" : "GQVQ-JKEC",
ย  "verification_url" : "https://www.google.com/device",
ย  "expires_in" : 1800,
ย  "interval" : 5
}

Your app displays theย user_codeย andย verification_urlย values to the user, and, at the same time, polls the sign-in endpoint at the specifiedย intervalย until either the user signs in or the time specified byย expires_inย has passed.

After you receive a user code and verification URL from the device endpoint, display them and instruct the user to open the URL and enter the user code.

The values ofย verification_urlย andย user_codeย are subject to change. Design your UI in a way that can handle the following limits:

  • user_codeย must be displayed in a field wide enough to handle 15ย W-sized characters.
  • verification_urlย must be displayed in a field wide enough to handle a URL string that is 40 characters long.

Both strings can contain any printable character from the US-ASCII character set.

When you display theย user_codeย string, don’t modify the string in any way (such as changing the case or inserting other formatting characters), because your app might break if the format of the code changes in the future.

You can modify theย verification_urlย string by stripping off the scheme from the URL for display purposes if you choose. If you do, be sure your app can handle both “http” and “https” variants. Don’t otherwise modify theย verification_urlย string.

When the user navigates to the verification URL, they see a page similar to the following:

Connect a device by entering a code

After the user enters the user code, the Google sign-in site presents a consent screen similar to the following:

If the user clicksย Allow, then your app can obtain an ID token to identify the user, an access token to call Google APIs, and a refresh token to acquire new tokens.

After your app displays the user code and verification URL, begin polling the token endpoint (https://oauth2.googleapis.com/token) with the device code that you received from the device endpoint. Poll the token endpoint at the interval, in seconds, specified by theย intervalย value.

The following is an example request:

POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded

client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=DEVICE_CODE&grant_type=http://oauth.net/grant_type/device/1.0

Usingย curl:

curl -d "client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=DEVICE_CODE&grant_type=http://oauth.net/grant_type/device/1.0" https://oauth2.googleapis.com/token

If the user has not yet approved the request, the response is as follows:

{
ย  "error" : "authorization_pending"
}

Your app should repeat these requests at a rate that does not exceed the value ofย interval. If your app polls too quickly, the response is as follows:

{
ย  "error" : "slow_down"
}

Once the user signs in and grants your app access to the scopes you requested, the response to your app’s next request includes an ID token, an access token, and a refresh token:

{
ย  "access_token" : "ya29.AHES6ZSuY8f6WFLswSv0HZLP2J4cCvFSj-8GiZM0Pr6cgXU",
ย  "token_type" : "Bearer",
ย  "expires_in" : 3600,
ย  "refresh_token" : "1/551G1yXUqgkDGnkfFk6ZbjMMMDIMxo3JFc8lY8CAR-Q",
ย  "id_token": "eyJhbGciOiJSUzI..."
}

Upon receipt of this response, your app can decode the ID token to get basic profile information about the signed-in user, or send the ID token to your app’s backend server to securely authenticate with the server. Also, your app can use the access token to call the Google APIs that the user authorized

ID and access tokens have limited lifetimes. To keep the user signed in beyond the tokens’ lifetimes, store the refresh token and use it to request new tokens

You can get profile information about the signed-in user by decoding the ID token with anyย JWT-decoding library. For example, using the Auth0ย jwt-decodeย JavaScript library:

var user_profile = jwt_decode(id_token);

// The "sub" field is available on all ID tokens. This value is unique for each
// Google account and can be used to identify the user. (But do not send this
// value to your server; instead, send the whole ID token so its authenticity
// can be verified.)
var user_id = user_profile["sub"];

// These values are available when you request the "profile" and "email" scopes.
var user_email = user_profile["email"];
var email_verified = user_profile["email_verified"];
var user_name = user_profile["name"];
var user_photo_url = user_profile["picture"];
var user_given_name = user_profile["given_name"];
var user_family_name = user_profile["family_name"];
var user_locale = user_profile["locale"];

5 Comments

No comments yet. Why don’t you start the discussion?

Comments are closed