Table of contents
How Google achieves seamless SSO across multiple domains like Gmail and Youtube?
Software Engineer
Software Engineer
Hey there! Ever wondered how you can log into Gmail and then magically find yourself logged into YouTube, Google Drive, and all other Google services without lifting a finger? This behind-the-scenes wizardry is called Single Sign-On (SSO)
In this blog, I will show you some techniques that Google used.
In this blog, I will show you some techniques that Google used.
The Challenge of Cross-Domain Authentication
Web browsers enforce strict security policies that prevent one domain from accessing cookies set by another domain. This policy, known as the Same-Origin Policy, is essential for protecting user data but poses a challenge for implementing SSO across multiple domains (e.g., google.com and youtube.com).
To overcome this, Google employs a combination of cookies, tokens, and background server requests to synchronize authentication sessions across its services.
To overcome this, Google employs a combination of cookies, tokens, and background server requests to synchronize authentication sessions across its services.
Step-by-Step Login Flow
1. Initial Login Request
When a user navigates to a Google service (e.g., Gmail at https://mail.google.com) and they are not logged in, Gmail redirects the user to the central authentication server at https://accounts.google.com.
At https://accounts.google.com, the user is prompted to enter their credentials. Upon successful authentication, the server sets a session cookie for the .google.com domain.
When a user navigates to a Google service (e.g., Gmail at https://mail.google.com) and they are not logged in, Gmail redirects the user to the central authentication server at https://accounts.google.com.
At https://accounts.google.com, the user is prompted to enter their credentials. Upon successful authentication, the server sets a session cookie for the .google.com domain.
// language: bash HTTP/1.1 200 OK Set-Cookie: SID=SESSION_COOKIE; Domain=.google.com; Secure; HttpOnly
2. Generating Cross-Domain Session Identifiers
Google's authentication server also generates a session identifier or token. This token is used to establish sessions on other Google-owned domains.
The authentication server redirects to other Google-owned domains to establish sessions on those domains using the session identifier.
Redirect to YouTube:
// language: bash GET /accounts/SetSID?sidt=UNIQUE_SESSION_ID&continue=https://mail.google.com/mail&<other_params> Host: accounts.youtube.com
Response from YouTube:
// language: bash Set-Cookie: SID=YOUTUBE_SESSION_COOKIE; Domain=.youtube.com; Secure; HttpOnly
YouTube redirects to Localized Domains (e.g., Vietnam):
// language: bash GET /accounts/SetSID?sidt=UNIQUE_SESSION_ID&continue=https://mail.google.com/mail&<other_params> Host: accounts.google.com.vn
Response from Localized Domains:
// language: bash Set-Cookie: SID=LOCALIZED_SESSION_COOKIE; Domain=.google.com.vn; Secure; HttpOnly
When accounts.youtube.com and other localized domains receive the request with the session identifier, they verify the identifier with the central authentication server. If valid, they set their own session cookies for their respective domains.
3. Final Redirection
Once all necessary cookies are set, the user is redirected back to the original service which extracted from the continue param (&continue=https://mail.google.com/mail)
When the user navigates to another Google service (e.g., YouTube at https://www.youtube.com), the .youtube.com cookies are automatically sent with the request, allowing the user to be logged in without re-entering credentials.
Step-by-Step Logout Flow
The browser sends background requests to other domains to clear their cookies.
- Youtube:
// language: bash GET /ClearSID?sidt=UNIQUE_SESSION_ID HTTP/1.1 Host: accounts.youtube.com
- Localized Domains:
// language: bash GET /ClearSID?sidt=UNIQUE_SESSION_ID HTTP/1.1 Host: accounts.google.com.vn
Each domain clears its cookies and invalidates the session
Created at
2024-09-24 22:52:06 +0700
Related blogs
One Design Pattern a Week: Week 4
Welcome back to my "One Design Pattern a Week" series!Try to solve this real problem: Request HandlingImagine you're building an enterprise applicatio...
Software Engineer
Software Engineer
2024-10-28 16:46:15 +0700
How to customize YJIT in the Rails app
In this post, we'll dive into what YJIT is, how to enable it in your Rails app, and how to monitor and configure it for optimal performance.What is YJ...
Software Engineer
Software Engineer
2024-12-04 16:29:15 +0700