Account linking enables Google Account holders to quickly, seamlessly and safely connect to your services. You may choose to implement Google Account Linking to share a user's data from your platform with Google apps and services.
The secure OAuth 2.0 protocol lets you safely link a user's Google Account with their account on your platform, thereby granting Google applications and devices access to your services.
Users can link or unlink their accounts and optionally create a new account on your platform with Google Account Linking.
Some of the reasons to implement Google Account Linking are:
Share a user's data from your platform with Google apps and services.
Play your video and movie content using Google TV.
Manage and control Google Smart Home connected devices using the Google Home app and Google Assistant, "Hey Google turn on the lights".
Create user customized Google Assistant experiences and functionality with Conversational Actions, "Hey Google, order my usual from Starbucks".
Enable users to earn rewards by viewing eligible live streams on YouTube after linking their Google Account to a rewards partner account.
Pre-populate new accounts during sign-up with consensually shared data from a Google Account profile.
These features are supported by Google Account Linking:
Quickly and easily share your data using the OAuth Linking implicit flow.
Provide improved security with the OAuth Linking authorization code flow.
Sign-in existing users or sign-up new Google verified users to your platform, obtain their consent and securely share data with Streamlined linking.
Reduce friction with App Flip. From a trusted Google app, one tap securely opens your verified Android or iOS app and one tap grants user consent and links accounts.
Improve user privacy by defining custom scopes to share only necessary data, increase user trust by clearly defining how their data is used.
Access to data and services hosted on your platform can be revoked by unlinking accounts. Implementing an optional token revocation endpoint lets you stay in sync with Google initiated events, while Cross-Account Protection (RISC) allows you to notify Google of any unlinking events that take place on your platform.
Account linking flows
There are 3 Google Account Linking flows all of which are OAuth based and require you to manage or control OAuth 2.0 compliant authorization and token exchange endpoints.
During the linking process, you issue access tokens to Google for individual Google Accounts after obtaining account holders consent to link their accounts and share data.
OAuth Linking ('Web OAuth')
This is the basic OAuth flow that sends users to your website for linking. The user is redirected to your website to sign in to their account. Once signed in, the user consents to sharing their data, on your service, with Google. At that point, the user's Google Account and your service, are linked.
OAuth Linking supports the authorization code and implicit OAuth flows. Your service must host an OAuth 2.0 compliant authorization endpoint for the implicit flow, and must expose both an authorization and token exchange endpoint when using the authorization code flow.
Figure 1. Account Linking on a user's phone with Web OAuth
OAuth-based App Flip Linking ('App Flip')
An OAuth flow that sends users to your app for linking.
OAuth-based App Flip Linking guides users as they move between your verified Android or iOS mobile apps and Google's platform to review the proposed data access changes and grant their consent to link their account on your platform with their Google account. To enable App Flip your service must support OAuth Linking or OAuth-based Google Sign-in Linking using the authorization code flow.
App Flip is supported for both Android and iOS.
How it works:
Google app checks if your app is installed on the user's device:
- If the app is found, the user is ‘flipped’ to your app. Your app gathers consent from the user to link the account with Google, and then 'flips back' to the Google surface.
- If app is not found or an error occurs during the app flip linking process, the user is redirected to Streamlined or Web OAuth flow.
Figure 2. Account Linking on a user's phone with App Flip
OAuth-based Streamlined Linking ('Streamlined')
OAuth-based Google Sign-In Streamlined linking adds Google Sign-In on top of OAuth linking, enabling users to complete linking the linking process without leaving the Google surface, thereby reducing frictions and drop-offs. OAuth-based Streamlined Linking
offers the best user experience with seamless sign-in, account creation and
account linking by combining Google Sign-in with OAuth linking. Your service
must support OAuth 2.0 compliant authorization and token exchange endpoints.
Additionally, your token exchange endpoint must support
JSON Web Token
(JWT) assertions and implement the
How it works:
Google asserts the user account and passes this information to you:
- If an account exists for the user in your database, the user successfully links their Google account with their account on your service.
- if no account exists for the user in your database, the user can either create a new 3P account with the asserted information Google provides : email, name, and profile picture, or choose to sign in and link with another email (this will require them to sign-in to the your service via Web OAuth).
Figure 3. Account Linking on a user's phone with Streamlined Linking
Which flow should you use?
We recommend implementing all flows to ensure users get the best linking experience. The Streamlined and App flip flows reduce linking friction as users are able to complete the linking process in very few steps. The Web OAuth linking has the lowest level of effort and is a good place to start after which you can add on the other linking flows.
Working with tokens
Google Account Linking is based upon the OAuth 2.0 industry standard.
You issue access tokens to Google for individual Google Accounts after obtaining account holders consent to link their accounts and share data.
OAuth 2.0使用称为令牌的字符串在用户代理，客户端应用程序和OAuth 2.0服务器之间进行通信。
Registering with Google
We'll need details of your OAuth 2.0 setup and to share credentials to enable account linking. See registration for details.