Google Classroom add-ons must use Google single sign-on (SSO) to identify and authenticate users.
See Google Identity's OpenID Connect Guide for more information on SSO. We also recommend referencing Google's official documentation on user sign-up and sign-in for automatic sign in and Sign-In Branding Guidelines.
See the frictionless sign-in page for implementation guidance for Google SSO in Classroom add-ons. The frictionless sign-in guide also refers to the test plan that can be used to ensure your add-on is following sign-in best practices.
Sign in flow
To reduce sign-in friction for users, Google Classroom provides the
login_hint
query parameter when an iframe is opened. login_hint
is a user's
unique Google ID, and is provided after the user has signed into your add-on
for the first time. This parameter provides context on the user that's signed
into Google Classroom. See our sign-in parameters guide page for a more
detailed discussion of these query parameters.
You must display a Google sign-in dialog if the login_hint
query parameter of
the current Google Classroom user doesn't match any signed-in user of the
add-on. The button must adhere to Google's branding guidelines. If the user is
already signed in, they shouldn't be prompted to sign-in again.
Figure 1. Sign in flow when a user initially launches your add-on.
Individual installations add the add-on to the user's own account. Users are prompted to consent to the add-on's access scopes when the add-on is installed individually.
Administrator installations add the add-on to any or all accounts in the domain, and can only be performed by a domain administrator. The administrator can optionally consent to all access scopes on behalf of all users in the domain; users are not prompted to consent to any access scopes if the administrator chooses to do so.
See Installation settings for more information.