My thoughts on Google+ Sign-In

Before continuing, I want to remind you, dear reader, that this blog represents my personal opinions and is not the official word from Google. With that out of the way, let’s talk about Google+ Sign-In.

feature-sign-in

“Any sufficiently advanced technology is indistinguishable from magic.” – Arthur C. Clark

This has on many cases been considered the yardstick for the significance of new high-tech product releases. In only some of releases I have been involved in have I been in awe of product features, technical marvels, and engineering excellence. I feel that some aspects of the Google+ Sign-in launch really stand out as “magical” and I’ll tell you why.

Over-the-air installs

Over-the-air installs let people install your app as part of their sign up process. Here is how it works:

  1. Visit a web site.
  2. Sign in with Google.
  3. After completion of the sign-in process, you will see a screen like the following:

    play-installs-dialog

  4. Select a device and click install, the next time you use that device, it will have the app associated with the web site.

The integration and installation of apps on your mobile device, without ever having to dig through the app store, is surprisingly natural. The first time I saw the feature work, my jaw dropped and I thought to myself, this is a game-changer. I feel this way because it so smoothly ties together the experiences between the web and mobile.  You gotta try this: go to one of our launch partner sites and sign up; at the end of the sign up flow, add the app to your device (of choice!) using the over-the-air install feature. It’s awesome.

This is the kind of feature that is only possible when you see the cooperation between well designed products. This would not have been possible were it not for the presence of both Google+ and Android. It goes without saying that the Android team did some great work to enable this feature. The magic behind this feature is driven through the data-apppackagename attribute that is passed to the sign-in button as shown in the following code:

<span id="signinButton">
  <span
    class="g-signin"
    data-callback="signinCallback"
    data-clientid="CLIENT_ID"
    data-cookiepolicy="single_host_origin"
    data-apppackagename="com.google.android.gms.samples..."
    data-requestvisibleactions="http://schemas.google.com/AddActivity"
    data-scope="https://www.googleapis.com/auth/plus.login">
  </span>
</span>

Because you are passing the package name to the button itself, the button knows to render the Play store’s web install experience when the sign-in flow completes.

Interactive Posts

Interactive posts are a new way of sharing to the Google+ stream and are groundbreaking in that they will let you perform actions on your apps and sites outside of the Google+ stream. In the Photohunt demo, there is a showcase integrating voting features with the Google+ stream.

The following image shows the promote photo functionality of Photohunt:
Screen Shot 2013-03-04 at 7.59.17 PM

Next, see how the interactive posts appears in the stream:

Screen Shot 2013-03-04 at 7.59.38 PM
Or, on a mobile device:

Screenshot_2013-03-04-20-04-33

Across all of these shared experiences, the functionality of Google+ is extended beyond the stream. Clicking the “Vote” button does something on the Photohunt app directly from Google+. I think that being able to deliver experiences like this from the Google+ stream will open up tons of new possibilities for developers and also lets people build on top of Google+ in ways that they haven’t before.  While it was being developed, I had the chance to play with the Photohunt demo along with Google+ team members and I couldn’t help but dream of the possibilities that this feature creates. Lighting up this functionality is easy because the Google+ API handles all of the heavy lifting.  The following code shows how an interactive post for inviting new users is rendered in Photohunt:

var options = {
  'clientid': Conf.clientId,
  'contenturl': Conf.rootUrl + '/invite.html',
  'contentdeeplinkid': '/',
  'prefilltext': 'Join the hunt, upload and vote for photos of ' +
      $scope.selectedTheme.displayName + '. #photohunt',
  'calltoactionlabel': 'Join',
  'calltoactionurl': Conf.rootUrl,
  'calltoactiondeeplinkid': '/',
  'requestvisibleactions': Conf.requestvisibleactions,
  'scope': Conf.scopes,
  'cookiepolicy': Conf.cookiepolicy
};

gapi.interactivepost.render('invite', options);

The various links within the interactive post configuration options can be configured to match target actions within mobile or web apps. This way, the user can be directed right into a specific place in your application or site to take specific actions.

Additional scope integration

Google has a lot of products.  Developers everywhere are able to use these products as though they were part of their own apps and products. Until this release, there were a number of challenges getting things going easily.  Now, you just add another scope to the  requested scopes on your sign-in button markup and you have access to any Google API.

This is a powerful shift. I anticipate that more developers will be able to turn on exciting feature integrations because sign-in is so much easier now. The additional scopes are enabled by requesting a space separated list in the sign-in button markup. The following example shows configuration for the sign-in button that accesses the plus.login and calendar scopes. By requesting both of these scopes, you can get API access to both Google products.

<span id="signinButton">
  <span
    class="g-signin"
    data-callback="signinCallback"
    data-clientid="CLIENT_ID"
    data-cookiepolicy="single_host_origin"
    data-apppackagename="com.google.android.gms.samples..."
    data-requestvisibleactions="http://schemas.google.com/AddActivity"
    data-scope="https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/calendar.readonly">
  </span>
</span>

So long as your client is correctly configured, you could then perform API requests to either endpoint using the available client libraries. The following code shows making calls to both APIs in JavaScript after the sign-in callback is reached:

// Load the Google+ API client
gapi.client.load('plus','v1');
gapi.client.load('calendar','v1');

// Make a Google+ API call
var payload = {
  "target": {
    "id" : "replacewithuniqueidforaddtarget",
    "image" : "http:\/\/www.google.com\/s2\/static\/images\/GoogleyEyes.png",
    "type" : "http:\/\/schema.org\/CreativeWork",
    "description" : "The description for the activity",
    "name":"An example of AddActivity"
  },
  "type":"http:\/\/schemas.google.com\/AddActivity",
  "startDate": "2012-10-31T23:59:59.999Z"
};
var args = {
  'path': '/plus/v1/people/me/moments/vault',
  'method': 'POST',
  'body': JSON.stringify(payload),
  'callback': function(response) {
    console.log(response);
  }
};

gapi.client.request(args);

// Make an API call to the calendar API
gapi.client.calendar.calendarList.list().execute( function(list){
    console.log(list);
});

This capability didn’t happen overnight. Google has been working for years on creating a consistent way of accessing the functionality of their products and without all of this legwork it would be impossible. Establishing OAuth standards, creating, hosting, and improving API endpoints, and pioneering our discovery API all have contributed to unify how functionality is exposed from products.

Secure identity

By using Google’s identity solution, you get the benefit of all of the security work that Google has done: real identity, two factor authentication, and mobile security coupled with shared public profile information that is controlled by you. There is no reason for you to need to maintain multiple profiles for all of the sites you use, so it’s extremely convenient to only have to maintain one canonical source of who you are. The idea that you can just create and maintain one account and will only once need to configure your identity online is a big deal.

That said, you want for this source to be as secure as possible; it’s important to have checks and balances in place for ensuring your account is safe. First, you should be able to control which parts of your identity are available to which applications and also be able to manage this easily. Next, you should be confident that only you have access to your account.

Google has made great strides in this area already with security by pioneering free and publicly available two-factor authentication and now the Google settings app. Two-factor authentication, sometimes referred to as “something you know and something you have” is an easy way to secure your account and has been available for Google products since 2011. The Google settings app, which launched with Google+ Sign-In, lets you manage your connected apps from one convenient place so you never have to worry about having stray accounts that still have access to your data.

Closing Thoughts

What Google+ Sign-In brings is the culmination of many Google efforts: the discovery API, Android and web integration, and a powerful identity story. Although all of the features are not necessarily flashy (although I think OTA install and interactive posts fall in this category), they are in many ways indistinguishable from magic and will make new experiences possible through Google services. I expect not only for there to be many sites adopting Google+ Sign-In as a result of this feature bundle but also expect to see an expansion in the number of things that third party developers are doing with Google all up.

I can’t wait to see what the developer community creates with the new platform features!