I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:

1. support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
2. Access the user's Google Analytics.

Here are the steps I have done.

1. I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
2. I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
3. I get redirected back to the callback page.
4. I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
5. I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.

Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?

If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.

Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.

If you are asking how to identify user for future logins, you have two options:

• Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.

• Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.

If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).

When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.

Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.

So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force