Overview

  • OAuth-based App Flip Linking allows users to easily and quickly link accounts in your authentication system to their Google accounts by seamlessly flipping them to your app for authorization if it's installed.

  • This process is faster as users don't need to re-enter credentials, leveraging existing account information in your app.

  • To implement App Flip, you must have an Android or iOS app and own or manage an OAuth 2.0 server supporting the authorization code flow.

  • Designing the consent screen involves communicating that the linking is to Google, not a specific product, and providing clear information, options to cancel, unlink, and switch accounts, and including your logo.

  • Setting up App Flip involves creating an Action, setting up an OAuth 2.0 server, and configuring App Flip in the Actions console.

基于 OAuth 的应用快速关联 (App Flip) 关联功能可让用户快速将其在您的身份验证系统中的账号关联到其 Google 账号。 如果用户在发起账户关联过程时手机上已安装您的应用,系统会顺畅地将他们转到您的应用以获取用户授权。

这种方法可提供更快的账户关联过程,因为用户无需重新输入用户名和密码进行身份验证;相反,App Flip 会利用用户在您的应用中的账号凭据。用户将其 Google 账号与您的应用关联后,便可利用您开发的任何集成。

您可以为 iOS 和 Android 应用设置 App Flip。

此图显示了用户将其 Google 账号与您的身份验证系统相关联的步骤。第一张屏幕截图显示了用户如何选择您的应用(如果其 Google 账号已与您的应用相关联)。第二张屏幕截图显示了用户将其 Google 账号与您的应用相关联的确认信息。第三张屏幕截图显示了 Google 应用中已成功关联的用户账号。
图 1.用户手机上使用 App Flip 进行账号关联。

要求

如需实现 App Flip,您必须满足以下要求:

  • 您必须拥有 Android 或 iOS 应用。
  • 您必须拥有、管理和维护支持 OAuth 2.0 授权代码流程的 OAuth 2.0 服务器。

基于 OAuth 的 App Flip 流程

以下序列图详细说明了用户、Google 应用、您的应用和您的授权服务器之间针对 App Flip 的交互。

用户 Google 应用 您的应用 Google 服务器 您的授权 服务器 1. 发起关联 2. 深层链接到您的应用 3. 显示意见征求屏幕 4. 用户授予意见征求 5. 获取授权代码 6. authorization_code 7. 返回到 Google 应用 8. 将代码传递给 Google 服务器 9. 令牌交换 (POST) 10. access_token, refresh_token 11. 存储用户令牌 12. 访问用户资源
图 2.App Flip 流程中的事件序列。 如果提供了授权代码,则令牌交换将以 服务器到服务器的方式进行,与基于浏览器的 OAuth 关联流程中的方式相同。

角色和职责

下表定义了 App Flip 流程中执行者的角色和职责。

执行者 / 组件 GAL 角色 职责
Google 应用 / 服务器 OAuth 客户端 发起账户关联过程,触发到您的移动应用深层链接,将授权代码交换为令牌,并安全地存储这些令牌以访问您服务的 API。
您的应用 授权代理 对用户进行身份验证(通常使用现有应用凭据), 获取意见征求,并从您的服务器检索授权代码。
您的授权服务器 授权服务器 验证授权代码和刷新令牌,并向 Google 服务器颁发访问 令牌。

For more information on the OAuth linking authorization code flow, see Implement your OAuth server.

Design guidelines

This section describes the design requirements and recommendations for the App Flip account linking consent screen. After Google calls your app, your app displays the consent screen to the user.

Requirements

  1. You must communicate that the user’s account is being linked to Google, not to a specific Google product, such as Google Home or Google Assistant.

Recommendations

We recommend that you do the following:

  1. Display Google's Privacy Policy. Include a link to Google’s Privacy Policy on the consent screen.

  2. Data to be shared. Use clear and concise language to tell the user what data of theirs Google requires and why.

  3. Clear call-to-action. State a clear call-to-action on your consent screen, such as “Agree and link.” This is because users need to understand what data they're required to share with Google to link their accounts.

  4. Ability to deny or cancel. Provide a way for users to go back, deny, or cancel, if they choose not to link.

  5. Ability to unlink. Offer a mechanism for users to unlink, such as a URL to their account settings on your platform. Alternatively, you can include a link to Google Account where users can manage their linked account.

  6. Ability to change user account. Suggest a method for users to switch their account(s). This is especially beneficial if users tend to have multiple accounts.

    • If a user must close the consent screen to switch accounts, send a recoverable error to Google so the user can sign in to the desired account with OAuth linking and the implicit flow.

  7. Include your logo. Display your company logo on the consent screen. Use your style guidelines to place your logo. If you wish to also display Google's logo, see Logos and trademarks.

This figure shows an example consent screen with call-outs to the individual requirements and recommendations to be followed when you design a user consent screen.
Figure 2. Account linking consent screen design guidelines.

Set up for OAuth-based App Flip

The following sections describe the prerequisites for OAuth-based App Flip and how to configure your App Flip project in the Actions console.

Create an Action and set up an OAuth 2.0 server

Before you can configure App Flip, you need to do the following:

Configure App Flip in the Actions console

The following section describes how to configure App Flip in the Actions console.

  1. Click Develop in the top navigation. Then, click Account linking in the left navigation.
  2. Toggle on the switch next to Account linking.
  3. Under Account creation, select No, I only want to allow account creation on my website.
  4. Click Next.
  5. Under Linking type, select OAuth and Authorization code from the drop-down menus.
  6. Click Next.
  7. Fill out all the fields under OAuth Client information. (If App Flip isn’t supported, regular OAuth is used as a fallback.)
  8. Click Next.
  9. Under Use your app for account linking (optional), check Enable for iOS.
  10. Fill out the Universal Link field. For more information about universal links, see Allowing Apps and Websites to Link to your Content .
  11. If you want to optionally configure your client, add scopes and click Add scope under Configure your client (optional). If not, click Next.
  12. Under Testing instructions, type test (or any other string) as a placeholder. (Filling in this field with a test account is only necessary if you are actually submitting your Action to be published.)
  13. Click Save.

You can now continue to the next section to implement App Flip in your iOS or Android app.

Implement App Flip in your native apps

To implement App Flip, you need to modify the user authorization code in your app to accept a deep link from Google.

Test App Flip on your device

Now that you’ve created an Action and configured App Flip on the console and in your app, you can test App Flip on your mobile device. You can use the Google Assistant app to test App Flip.

To test App Flip from the Assistant app, follow these steps:

  1. Go to the Actions console and select your project.
  2. Click Test in the top navigation.
  3. Trigger the account linking flow from the Assistant app:
    1. Open the Google Assistant app.
    2. Click Settings.
    3. On the Assistant tab, click Home Control.
    4. Click Add(+).
    5. Select your Action from the list of providers. It will be prefixed with “[test]” in the list. When you select your [test] Action from the list, it should open your app.
    6. Verify that your app was launched and begin testing your authorization flow.