The newest version of Google Identity Toolkit has been released as Google Cloud's Identity Platform and Firebase Authentication. These products include upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

Based on your needs, new projects should use either Identity Platform or Firebase Authentication. To migrate an existing project from Identity Toolkit, see the Identity Platform migration guide or Firebase Authentication migration guide.

Use Identity Toolkit in your Android App

We know developers need to engage their users across all platforms, so Google Identity Toolkit runs natively on Android. Our Android SDK provides an easy to use identity solution for all developers.

Add to existing app

Ready to get started? Our Android Quick-start is the easiest way to try it out.

Otherwise, follow these instructions to add Google Identity Toolkit to your own application.

  1. Download the Android SDK from our Github repository. Use identitytoolkit-api10.aar if you plan on supporting api level 10. Note that if you are supporting api level 10, the Acitivity that initializes GitkitClient must inherit from android.support.v4.app.FragmentActivity. Otherwise use identitytoolkit-api11.aar if you only need api level 11+, which does not require a support library.

  2. Configure the Identity Toolkit API as outlined in the Android Quick-start.

  3. Register the quick-start app in the same project in Google API Console

    1. Get the signing key SHA1. For debugging, usually the default android debug keystore is used. If you followed the configuration instructions in the previous step, you generated the signing key. You can reuse that, or run the following command to get the SHA1 for the debug signing key (keystore=debug.keystore, key=androiddebugkey)

          keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey

      The password for the debug keystore is android. If you are using a production signing key, be sure to use that instead.

    2. Create an OAuth2 client for your app in the API Console Credentials page

      1. From the project drop-down, select your project.
      2. On the Credentials page, select the Create credentials drop-down, then select OAuth client ID.
      3. Under Application type, select Android
      4. Enter a name, and fill in the the SHA1 and the package name (e.g., com.google.identitytoolkit.demo), then select Create.

  4. Modify AndroidManifest.xml
    Note: To access the values you will need, open the API Console Credentials page. This page contains the client ID and API key.

    • Uncomment the android:scheme line and replace the placeholder with your reversed server client ID. You can find this ID in the OAuth 2.0 client IDs section under the Type "Web application". For example, if your server client ID is 123.apps.googleusercontent.com then put com.googleusercontent.apps.123 here.
    • Uncomment the identitytoolkit.api_key meta data and replace the placeholder with your API key. You can find your API key in the API keys section under the Type "Android".
    • Uncomment the identitytoolkit.server_client_id meta data and replace the placeholder with your server client ID. You can find this ID in the OAuth 2.0 client IDs section under the Type "Web application".
    • Uncomment the identitytoolkit.server_widget_url and replace the placeholder with your server side Gitkit widget absolute URL. This field doesn't matter for the sample app, but you will need to configure it once you have the web server endpoint set up.

Adding Identity Providers

Once you have Sign in with Google and password accounts working, you will likely want to offer other sign in options for your users.

Facebook

  1. Add the Facebook dependencies

    1. Copy {GITKIT_SDK_DIR}/plugins/identitytoolkit_fbv4.jar to your libs folder.(If you wish to use Facebook Android SDK v3.x, copy {GITKIT_SDK_DIR}/plugins/identitytoolkit_fb.jar instead)

    2. Update the dependencies section of your build.gradle file to look as it does below. You may want to update some of the version numbers to reflect the latest builds available.(For Facebook SDK v4.6 or above, please set the minSdkVersion to 15)

      dependencies {
    compile 'com.google.android.gms:play-services:15.0.0'
    compile 'com.facebook.android:facebook-android-sdk:4.8.1'
    compile(name:'identitytoolkit-api11', ext:'aar')
    compile(name:'identitytoolkit_fbv4', ext:'jar')
}

  2. Register your app on Facebook

    1. Go to https://developers.facebook.com, register or log in, then select My Apps->Add a New App

    2. Once the new app is created, click Settings on the left then click + Add Platform

      1. Select Android
      2. Fill in the package name and main class.

      3. Run the following command to get key hash:

          keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1 -binary | openssl base64

    3. Fill Facebook app ID/secret in the Google API Console.

      1. From the project drop-down, select the project where your Identity Toolkit API Android App is configured.
      2. From the list of enabled APIs, find the Identity Toolkit API, then select the gear icon to the right of the name. This action opens settings tab.
      3. Scroll down to the Providers section and select Facebook to expand the details view.
      4. Enter the Facebook App ID and App Secret.
      5. When done, select Save.

    4. Conifgure the App Domain. If you are testing locally, this should be https://localhost.

    5. Add another platform, this time for Web. Enter your widget URL in the Site URL field.

  3. Configure your Identity Toolkit app.

    1. Add a string value for the Facebook app ID (you can get it from developers.facebook.com) in res/values/strings.xml

      <string name="fb_app_id">YOUR_FB_APP_ID</string>

    2. Add a Facebook app ID meta data in AndroidManifest.xml

      <meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/fb_app_id"/>

    3. Declare the Facebook sign in activity in your AndroidManifest.xml in case the target device doesn't have Facebook app installed. Add the following line next to the GitkitDemo activity declaration. (Use com.facebook.LoginActivity if you wish to use Facebook Android SDK v3.x)

      <activity android:name="com.facebook.FacebookActivity"/>

    4. To enable the Facebook button, change the value of identitytoolkit.show_providers meta data in AndroidManifest.xml to "Google, Yahoo, Facebook".

Yahoo

To enable Yahoo login, note that you need to have the Google Identity Toolkit javascript widget running at your identitytoolkit.server_widget_url.

  1. Under the identitytoolkit.show_providers meta-data, add "Yahoo" to the comma-separated list.
  2. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

Microsoft

To enable Microsoft login, note that you need to have the Google Identity Toolkit javascript widget running at your identitytoolkit.server_widget_url.

  1. Follow these instructions to enable your Microsoft app. You should register as a website using your widget_url.
  2. Once you have registered you app, copy the Client ID and Secret Key to the Identity Toolkit configuration page.
  3. Under the identitytoolkit.show_providers meta-data, add "Microsoft" to the comma-separated list.
  4. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

AOL

To enable AOL login, note that you need to have the Google Identity Toolkit javascript widget running at your identitytoolkit.server_widget_url.

  1. Under the identitytoolkit.show_providers meta-data, add "AOL" to the comma-separated list.
  2. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

Paypal

To enable Paypal login, note that you need to have the Google Identity Toolkit javascript widget running at your identitytoolkit.server_widget_url.

  1. Follow these instructions to enable your Paypal app. You should register as a website using your widget_url.
  2. Once you have registered you app, copy the Client ID and Secret Key to the Identity Toolkit configuration page. Be sure to click "save" when you are done.
  3. Under the identitytoolkit.show_providers meta-data, add "Paypal" to the comma-separated list.

UI Customization

You can override the user interface by implementing your own UiManager. The UiManager interface requires that you implement five screens, as outlined below. When you have collected the information for any given screen, you complete the action by passing the corresponding Request to the RequestHandler.

Start Sign-in

When the showStartSignIn() method is called, you should allow your user to choose how they will sign in.

First, if lastUserProfile != null, you should give your users the option to use this previous account.

If the user does not have any previous accounts or has elected to use a new sign-in option, you must either collect the Identity Provider they wish to use or an email if they want to create an email-password account.

When complete, you must create a UiManager.StartSignInRequest object, set either the email or provider field, and call handler.handle(request).

Show Password Sign-in

The showPasswordSignIn() method is called when the user entered an email on the startSignIn screen and a password account for that email already exists. You must provide some way for the user to enter their password, create the appropriate UiManager.SignInWithPasswordRequest, and pass it to the handler.

If the user has had repeated failed attempts at signing in, they may be prompted to complete a reCAPTCHA challenge before moving forward.

Be sure that you are prepared to handle the INVALID_PASSWORD error code at this point.

Show Password Sign Up

The showPasswordSignUp() method is called when the user entered an email address and no account for that email address exists.

On this screen, you must allow the user to enter a display name and the password for their account, create the appropriate UiManager.SignUpWithPasswordRequest, and pass it to the handler.

If several sign up attempts have been made from this device recently, the user may be asked to solve a reCAPTCHA challenge before continuing.

Show Password Account Linking

The showPasswordAccountLinking() method is called when the user had previously created a password account and has now elected to use federated login (but after the federated login has completed). The user should now be prompted to prove they own the account by entering their old password. You must provide some way for the user to enter their password, create the appropriate UiManager.VerifyAccountWithPasswordRequest, and pass it to the handler.

Be sure that you are prepared to handle the INVALID_PASSWORD error code at this point.

Show IDP Account Linking

The showIdpAccountLinking() method is called when the user successfully completed federated login, but an account for that email address already existed. You should display information about their previous provider, and that these accounts will be linked. You should allow the user to confirm this action, create the appropriate UiManager.VerifyAccountWIthIdpRequest, and pass it to the handler.

If the user elects to link the accounts, they will begin the login flow for their previously used Identity Provider to prove that they own the account.