(photo by jimmyroq)

For the past couple of weeks, I've used some of my time to write code that adds support for Federated Login for Google Account Users to an Elgg instance. This particular project's requirements don't end with just an implementation of Single Sign-On (SSO) but it also needs to have access to some of the user's Google Apps Data.  Because of this, I decided to use Google's OpenID+OAuth Hybrid protocol, which is a good fit for the requirements.

The first thing I did was to register the domain of the application I'm writing with Google.  You can read instructions on how to do this here.  After I've validated the domain, I now need to write the interface to Google's OpenID+OAuth Hybrid protocol.  The goal is to have SSO working with the capability to automatically create users on the Elgg side and map them to the proper Google account and to be able to request access to Google services.

I searched the plugins page for Elgg if anyone already wrote such a module and I got two results that piqued my interest.  These are Kevin Jardine's OpenID client plugin and Justin Richer's OAuth plugin.

The OAuth plugin assumes that the users already have an Elgg account.  It is a good solution if you'll solely need an OAuth interface but not really ideal for what I'm trying to implement.  The OpenID client plugin is promising but it's more focused on interfacing with OpenID servers whose endpoint supports the passing of a username which is not the case with Google. Google's authentication is achieved by having the user go to an authentication page and then returning a Google-supplied identifier on success.  The value of this identifier is also unique for every relaying party (openid.realm) so another application will get a different value even if it's the same Google account.

Even if I can't use the OpenID client plugin there are still parts of it which are very useful.  These are the Elgg integration points like the different APIs that call the different OpenID methods and the Elgg-specific OpenID Store that will keep track of the different OpenID associations and nonces.  Because of this, I'll use some bits and pieces of the plugin as a starting point and just make it specific to work with Google.  For the actual display of the authentication page, I used Google's PopupManager Javascript Library to launch a popup window that goes to Google's OpenID endpoint.  For an example on how this library works, visit this online demo for Google hybrid.  You can checkout the source code of this demo here (look under the hybrid folder).  Using also some code snippets from the Google hybrid source code I am able to leverage Zend Gdata to request and process some of the user's data on Google services.  Since I based most of the authentication sequence using the Google hybrid sample code, it's also fit to mention that it uses JanRain, Inc's OpenID PHP library and Andy Smith's basic PHP library for OAuth.

This code is now in testing and I'm in the process of ironing out any issues we find.  When it has proved to be stable I'll package up the plugin and release it for public consumption.

Read more about Solution Grove's Elgg-related work