A Proper Sign In With Google Implementation
I believe we're at the 3rd iteration of our Sign In With Google mechanism.
I think this time, we finally got it right.
It started as a privacy related task. We wanted to remove Google's (now deprecated) platform.js
from the sign-in/sign-up/account pages. Loading external JS, CSS & font files has been flagged during our privacy check up as exposing visitor/customer information (IP, user agent, referrer, number of asset loads, etc.) to 3rd parties. So from replacing platform.js
with a server side oAuth implementation, we segued into reviewing the entire Sign In With Google experience.
As a result, there's new functionality, updated copy, and streamlined processes. But the thing that we're proud of the most is that we've - hopefully - removed all of the confusion around the process.
When you Sign In With Google, you authorize Google to give us some basic information about you: your name and e-mail.
We use that information to:
- create a Pipe account and associate your Google account with it OR
- if your Google e-mail already exists in our accounts database, we just do the association
Once your Google account is associated with a Pipe account, you can sign in directly with the Google account. Using a Google account means you don't have to set up and manage another password, and you can use Google's 2FA mechanism. There's also the added benefit of seeing no captchas during the sign up and sign in processes.
But you can also set a password on such accounts. Once you do, you practically have two ways of signing in:
- Pipe account e-mail and password
- Sign In With Google
Setting a password on a Pipe account with an associated Google account is a workaround for having two separate logins (until we get to implement Teams later this year).
Once you have set a password, there's also the option of removing the password or detaching the Google account from your Pipe account.
Existing Pipe accounts also got the option to attach a Google account if there's none attached.
As a result, you can switch from using only Google to sign in to using only the Pipe account e-mail and password to sign in and then back to using only Google.
More practical benefits include:
- the ability to change the Google account associated with a Pipe account
- the ability to use the Pipe e-mail + password as a secondary log in (since you need to be signed in to the respective Google account to detach it).
The Pipe account area will error out if you try to attach the same Google account to 2 Pipe accounts. It's an internal decision (authorization discussion, not authentication).
To top everything off, the sessions page has also been updated. You can now see which sign in method was used (Google or Pipe) and how each session expired. Useful when you have two ways of signing in.