2

Am a bit confused about the One tap sign in that was announced by google earlier this year. Our application already users Credential Management API in Chrome, which essentially provides the user with login options based on the credentials that user has saved for our site on previous visit (passwords that are saved in chrome). When I read the documentation for One tap sign in, it promises to do the same thing, but using Google's client api id. Our application has its own ID provider with our own database of user name and passwords, from the documentation it looks like One Tap sign in does not support custom ID providers. Can anyone shed more light on this, why would I use one against the other?

Thanks Karthik

Steven
  • 3,812
  • 23
  • 38
Karthik Balasubramanian
  • 1,127
  • 4
  • 13
  • 36
  • Possible duplicate of [Google Smart Lock vs Credential Management API](https://stackoverflow.com/questions/47096337/google-smart-lock-vs-credential-management-api) – Sachin Jan 04 '18 at 10:40

2 Answers2

2

I see two major differences:

  • One Tap is passwordless - it uses a token based login that never exposes the user's password. Chrome Credential Management API stores and retrieves actual passwords in Chrome's password store.

  • One Tap is purely web based - Chrome Credential Management API relies on Chrome's specific implementation. One Tap is a purely web based workflow so it will work across browsers.

One Tap is a much better long term login solution in my opinion. The Credential Management API is experimental and currently only supported in Chrome.

https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API#Browser_compatibility

mr.freeze
  • 13,731
  • 5
  • 36
  • 42
2

I lead product development at Google for the one-tap/auto sign-in library, we designed it such that the library includes the Credential Management API and extends to provide assistance in account creation, secure passwordless, and cross-browsers support.

In particular, if you make a request for existing credentials with code like this:

googleyolo.retrieve({
  supportedAuthMethods: [
    "https://accounts.google.com",
    "googleyolo://id-and-password"
  ],
  supportedIdTokenProviders: [
    { uri: "https://accounts.google.com", clientId: "CLIENT_ID" }
  ]
});

then any saved username/passwords from the Credential Management API will be returned (in browsers supporting the API) along with token data for Google Accounts. The one-tap/auto sign-in JavaScript library wraps the Credential Management API for credential retrieval.

Furthermore, the library provides a googleyolo.hint method to show an email selector for one-tap selection of a verified email address to assist in new account creation, or to link to an existing account, and then be auto signed-in next time with token instead of password, across all browsers, so long as the same Google Account is active.

I'd suggest using the one-tap/auto sign-in library and consuming tokens as well as passwords in order to get assisted sign-up, keep existing users signed-in automatically, and provide functionality even if the browser does not support the Credential Management API.

As for the question about using your own database of username / password, the hope with this library is you could implement the ability to create accounts and auto sign-in to these and existing accounts with an OpenID Connect ID tokens representing the user's identity. With the one-tap / auto sign-in UX, these are not only much more usable, but far more secure then passwords and mitigate creation of weak/re-used passwords. Please consider this or, even better, a hosted auth solution like Firebase Auth or Auth0 and include the one-tap UX in the frontend UI.

Steven
  • 3,812
  • 23
  • 38
  • Thanks for the response, in my case I would like googleyolo to retrieve the username/password that was stored for a particular domain (a domain that we own), I assume that is possible with this? – Karthik Balasubramanian Dec 05 '17 at 12:41