I have been given a task for implementing "User authentication through Google Apps account", in our custom php web application. User should be able to login both directly, or using google account.
I am trying to use openID for this. I have read about openID and found following:
In our existing users table, we will add an other field 'openid_identity'. While login, we will send Google login and password to Google and get response. From response, we will get user's identity and then by matching it with the identity in database, we can get user details.
One thing that is not clear:
In our application, admins can create users. Users can then login with their email (like john@myapp.com) and password.
Initially, before using Google sign in, our user's table 'openid_identity' field will be empty. How can we handle OpenID login for first time? What do we show to user? A 'signup with Google' page? If user signs up with their Google mail (like 'john@gmail.com'), how can we know which user he is, from users table?
I'd suggest to implement another table to handle external login methods instead of adding a field to your current users table. This "one to many" relationship will help to make your application more flexible: one day you might be asked to add support for Twitter, Github, Facebook login too.
I guess that you are planning to modify your login form to present different login methods, let's say the classic login form and a "Login with Google" button.
Then I think you should plan this case: when the user authenticates with Google, the Google Api will return the user's email and you'll check the external login table to see if the record is already there.
If there is no record you start the user subscription process as usual but you can pre-fill user's data with what you've got from Google. You'll save both the record in the external login table and in your common users table keeping them related.
If the record is already there then you'll consider the user as authorized. You will have to adjust a little your current authentication process.
Talking about flexibility, eventually, while you write your code, you can take in consideration the idea to allow each user to authenticate with more than one account and more than one external service.
I also would consider to use this composer package https://packagist.org/packages/google/apiclient to deal with Google's Apis