add new doc re SSO publisher integrations

docs/guides/integration-prebid-client-server.md

@@ -375,3 +375,7 @@ if you're using Prebid.js, and you're planning to pass UID2 tokens to Google usi
 
 - In your Google Ad Manager account, make sure that encrypted signals are properly shared with third-party bidders: see [Allow Secure Signals Sharing](integration-google-ss.md#allow-secure-signals-sharing).
 - Update your Prebid.js configuration: see [Optional: Enable Secure Signals in Prebid.js](integration-google-ss.md#optional-enable-secure-signals-in-prebidjs).
+
+## Implementing SSO Login
+
+For information about implementing one or more Single Sign-On (SSO) options in the context of UID2 for users visiting your webpages, see [Publisher Integration with SSO Providers](../ref-info/ref-integration-sso-providers.md).

docs/guides/integration-prebid-client-side.md

@@ -196,3 +196,7 @@ if you're using Prebid.js, and you're planning to pass UID2 tokens to Google usi
 
 - In your Google Ad Manager account, make sure that encrypted signals are properly shared with third-party bidders: see [Allow Secure Signals Sharing](integration-google-ss.md#allow-secure-signals-sharing).
 - Update your Prebid.js configuration: see [Optional: Enable Secure Signals in Prebid.js](integration-google-ss.md#optional-enable-secure-signals-in-prebidjs).
+
+## Implementing SSO Login
+
+For information about implementing one or more Single Sign-On (SSO) options in the context of UID2 for users visiting your webpages, see [Publisher Integration with SSO Providers](../ref-info/ref-integration-sso-providers.md).

docs/overviews/overview-publishers.md

@@ -34,7 +34,7 @@ The following steps provide a high-level outline of the workflow intended for or
 
 1. A user visits a publisher website, mobile app, or CTV app.
 
-1. The publisher provides transparency around its data practices and asks the user to provide an email address or phone number.
+1. The publisher provides transparency around its data practices and asks the user to provide an email address or phone number, by [SSO login](#implementing-sso-login) or other means.
 
 1. Once the user has provided an email address or phone number, the publisher sends it to the UID2 Operator via an SDK or direct API integration.
    :::tip
@@ -156,6 +156,10 @@ The following resources are available for publishers integrating with Google Ad
 | IMA for Android | [UID2 IMA Plugin for Android Integration Guide](../guides/mobile-plugin-ima-android.md) | A guide that enables publishers using the Google Interactive Media Ads (IMA) SDK to include UID2 tokens in ad requests from their Android apps. |
 | IMA for iOS | [UID2 IMA Plugin for iOS Integration Guide](../guides/mobile-plugin-ima-ios.md) | A guide that enables publishers using the Google Interactive Media Ads (IMA) SDK to include UID2 tokens in ad requests from their iOS apps. |
 
+## Implementing SSO Login
+
+For information about implementing one or more Single Sign-On (SSO) options in the context of UID2 for users visiting your webpages, see [Publisher Integration with SSO Providers](../ref-info/ref-integration-sso-providers.md).
+
 ## FAQs for Publishers
 
 For a list of frequently asked questions for publishers using the UID2 framework, see [FAQs for Publishers](/docs/getting-started/gs-faqs.md#faqs-for-publishers).

docs/ref-info/glossary-uid.md

@@ -68,6 +68,8 @@ import Link from '@docusaurus/Link';
 <a href="#gl-normalize">Normalize</a> 
 
 **O**
+<a href="#gl-oidc">OpenID Connect (OIDC)</a> | 
+<a href="#gl-opaque">Opaque</a> | 
 <a href="#gl-open-operator">Open Operator</a> | 
 <a href="#gl-operator">Operator</a> | 
 <a href="#gl-operator-key">Operator key</a> | 
@@ -308,6 +310,10 @@ import Link from '@docusaurus/Link';
 
 <dl>
 
+<dt><MdxJumpAnchor id="gl-oidc"><a href="#gl-oidc">OpenID Connect (OIDC)</a> </MdxJumpAnchor></dt>
+<dd>OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol that allows the client to verify the identity of an end-user based on authentication by an authorization server.</dd>
+<dd>For details, see [OpenID Connect Basic Client Implementer's Guide 1.0 - draft 40](https://openid.net/specs/openid-connect-basic-1_0.html) (specification).</dd>
+
 <dt><MdxJumpAnchor id="gl-opaque"><a href="#gl-opaque">Opaque</a></MdxJumpAnchor></dt>
 <dd>When we say a UID2 token is an opaque string, we mean that the way that the token is computed, and its format, are not communicated to UID2 participants and cannot be relied upon to remain unchanged. No assumptions should be made about the format or length of the string, or any other aspect of it.</dd>
 

docs/ref-info/ref-integration-sso-providers.md

@@ -0,0 +1,96 @@
+---
+title: Publisher Integration with SSO Providers
+description: Information for publishers for using single sign-on (SSO) providers with UID2.
+hide_table_of_contents: false
+sidebar_position: 06
+---
+
+import Link from '@docusaurus/Link';
+
+# Publisher Integration with SSO Providers
+
+This guide provides information for publishers who use popular single sign-on (SSO) providers and want to integrate with UID2.
+
+## High-Level Steps
+
+To integrate with a single sign-on solution, the general steps are as follows:
+
+1. Get an identity token from the SSO provider.
+
+2. Extract the user's email address from the identity token.
+
+3. Pass the user's email address to the [UID2 publisher integration](../guides/summary-guides.md#publisher-integrations) of your choice.
+
+:::note
+To find out whether you have to apply [normalization and encoding](../getting-started/gs-normalization-encoding.md) to the email address, or the integration does it for you, check the documentation for your UID2 publisher integration.
+:::
+
+## Sign In with Google
+
+The following options are available for sign-in with Google:
+
+- [SO with Google for Android](#sso-with-google-for-android)
+- [SSO with Google for iOS and macOS](#sso-with-google-for-ios-and-macos)
+- [SSO with Google for Web](#sso-with-google-for-web)
+
+### SSO with Google for Android
+
+Follow the instructions in [Create the Sign in with Google flow](https://developer.android.com/identity/sign-in/credential-manager-siwg#create-sign). Once the token has been validated, you can retrieve the email address by using the [getEmail() method](https://cloud.google.com/java/docs/reference/google-api-client/latest/com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload#com_google_api_client_googleapis_auth_oauth2_GoogleIdToken_Payload_getEmail__) of the identity token payload.
+
+### SSO with Google for iOS and macOS
+
+To get an email address from [Sign in with Google](https://developers.google.com/identity/sign-in/ios/start-integrating) on iOS or macOS, retrieve it from the `GIDGoogleUser` object. For details, see [Getting profile information](https://developers.google.com/identity/sign-in/ios/people).
+
+### SSO with Google for Web
+
+Follow the instructions to [verify the Google ID token on your server side](https://developers.google.com/identity/gsi/web/guides/verify-google-id-token), and then retrieve the user's email address from the email field of the ID token.
+
+## Facebook Login
+
+There are two ways to integrate Facebook Login with UID2: with an <Link href="glossary-uid#gl-oidc">OpenID Connect (OIDC)</Link> token or without.
+
+### Facebook SSO Using an OIDC Token on iOS
+
+To get an email address from [Facebook Login](https://developers.facebook.com/docs/facebook-login/) using an [OIDC token](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-oidc/) on iOS:
+
+1. Implement Facebook Login (for details, see [Use Facebook Login in Your iOS App](https://developers.facebook.com/docs/ios/use-facebook-login)) and request the email permission.
+
+1. Extract the user's email address from the OIDC authentication token: for example, by using the Profile helper class. For details, see [OIDC Tokens in Facebook Login for iOS](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-oidc).
+
+### Facebook SSO Without an OIDC Token
+
+To get an email address from [Facebook Login](https://developers.facebook.com/docs/facebook-login/) without using an OIDC token:
+
+1. Request a [user access token](https://developers.facebook.com/docs/facebook-login/guides/access-tokens#usertokens), specifying the `email` permission.
+
+1. If the user has granted the `email` permission, make a Graph API call to the [/me endpoint](https://developers.facebook.com/docs/graph-api/overview#me), using the user access token, and specify `email` as one of the fields.
+
+### Sample Applications
+
+The following applications are available as examples to help you code your Facebook SSO integration for mobile apps:
+
+- [Facebook Login sample application for Android](https://github.com/facebook/facebook-android-sdk/tree/main/samples/FBLoginSample)
+
+- [Facebook Login sample application for iOS](https://github.com/facebook/facebook-ios-sdk/tree/main/samples/FacebookLoginSample)
+
+## Sign In with Apple
+
+The instructions for signing in with Apple are different for apps and websites.
+
+### Sign In with Apple in a Mobile App
+
+Request authorization, making sure to request the `email` scope. For details, see [Request Authorization with Apple ID](https://developer.apple.com/documentation/sign_in_with_apple/implementing_user_authentication_with_sign_in_with_apple#3546458).
+
+If authentication succeeds, retrieve the user's email address from the `email` property of the `ASAuthorizationAppleIDCredential` object.
+
+### Sign In with Apple JS on a Webpage
+
+Refer to the section [Handle the Authorization Response](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple#3331292) of the page [Configure your webpage for Sign in with Apple](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple).
+
+## Sign In with OpenPass
+
+To get an email address from an [OpenPass](https://openpass.thetradedesk.com/en) integration:
+
+1. Use the [OpenPass API](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassQuickstartsServerSide) or one of the [OpenPass SDKs](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassSDKs) to get an identity token.
+
+1. Extract the user's email address from the `email` claim of the identity token. For details, see [OpenPass Authentication Tokens](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassTokensAuth).

i18n/ja/docusaurus-plugin-content-docs/current/ref-info/ref-integration-sso-providers.md

@@ -0,0 +1,96 @@
+---
+title: Publisher Integration with SSO Providers
+description: Information for publishers for using single sign-on (SSO) providers with UID2.
+hide_table_of_contents: false
+sidebar_position: 06
+---
+
+import Link from '@docusaurus/Link';
+
+# Publisher Integration with SSO Providers
+
+This guide provides information for publishers who use popular single sign-on (SSO) providers and want to integrate with UID2.
+
+## High-Level Steps
+
+To integrate with a single sign-on solution, the general steps are as follows:
+
+1. Get an identity token from the SSO provider.
+
+2. Extract the user's email address from the identity token.
+
+3. Pass the user's email address to the [UID2 publisher integration](../guides/summary-guides.md#publisher-integrations) of your choice.
+
+:::note
+To find out whether you have to apply [normalization and encoding](../getting-started/gs-normalization-encoding.md) to the email address, or the integration does it for you, check the documentation for your UID2 publisher integration.
+:::
+
+## Sign In with Google
+
+The following options are available for sign-in with Google:
+
+- [SO with Google for Android](#sso-with-google-for-android)
+- [SSO with Google for iOS and macOS](#sso-with-google-for-ios-and-macos)
+- [SSO with Google for Web](#sso-with-google-for-web)
+
+### SSO with Google for Android
+
+Follow the instructions in [Create the Sign in with Google flow](https://developer.android.com/identity/sign-in/credential-manager-siwg#create-sign). Once the token has been validated, you can retrieve the email address by using the [getEmail() method](https://cloud.google.com/java/docs/reference/google-api-client/latest/com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload#com_google_api_client_googleapis_auth_oauth2_GoogleIdToken_Payload_getEmail__) of the identity token payload.
+
+### SSO with Google for iOS and macOS
+
+To get an email address from [Sign in with Google](https://developers.google.com/identity/sign-in/ios/start-integrating) on iOS or macOS, retrieve it from the `GIDGoogleUser` object. For details, see [Getting profile information](https://developers.google.com/identity/sign-in/ios/people).
+
+### SSO with Google for Web
+
+Follow the instructions to [verify the Google ID token on your server side](https://developers.google.com/identity/gsi/web/guides/verify-google-id-token), and then retrieve the user's email address from the email field of the ID token.
+
+## Facebook Login
+
+There are two ways to integrate Facebook Login with UID2: with an OpenID Connect (OIDC) token or without.
+
+### Facebook SSO Using an OIDC Token on iOS
+
+To get an email address from [Facebook Login](https://developers.facebook.com/docs/facebook-login/) using an [OIDC token](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-oidc/) on iOS:
+
+1. Implement Facebook Login (for details, see [Use Facebook Login in Your iOS App](https://developers.facebook.com/docs/ios/use-facebook-login)) and request the email permission.
+
+1. Extract the user's email address from the OIDC authentication token: for example, by using the Profile helper class. For details, see [OIDC Tokens in Facebook Login for iOS](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-oidc).
+
+### Facebook SSO Without an OIDC Token
+
+To get an email address from [Facebook Login](https://developers.facebook.com/docs/facebook-login/) without using an OIDC token:
+
+1. Request a [user access token](https://developers.facebook.com/docs/facebook-login/guides/access-tokens#usertokens), specifying the `email` permission.
+
+1. If the user has granted the `email` permission, make a Graph API call to the [/me endpoint](https://developers.facebook.com/docs/graph-api/overview#me), using the user access token, and specify `email` as one of the fields.
+
+### Sample Applications
+
+The following applications are available as examples to help you code your Facebook SSO integration for mobile apps:
+
+- [Facebook Login sample application for Android](https://github.com/facebook/facebook-android-sdk/tree/main/samples/FBLoginSample)
+
+- [Facebook Login sample application for iOS](https://github.com/facebook/facebook-ios-sdk/tree/main/samples/FacebookLoginSample)
+
+## Sign In with Apple
+
+The instructions for signing in with Apple are different for apps and websites.
+
+### Sign In with Apple in a Mobile App
+
+Request authorization, making sure to request the `email` scope. For details, see [Request Authorization with Apple ID](https://developer.apple.com/documentation/sign_in_with_apple/implementing_user_authentication_with_sign_in_with_apple#3546458).
+
+If authentication succeeds, retrieve the user's email address from the `email` property of the `ASAuthorizationAppleIDCredential` object.
+
+### Sign In with Apple JS on a Webpage
+
+Refer to the section [Handle the Authorization Response](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple#3331292) of the page [Configure your webpage for Sign in with Apple](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple).
+
+## Sign In with OpenPass
+
+To get an email address from an [OpenPass](https://openpass.thetradedesk.com/en) integration:
+
+1. Use the [OpenPass API](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassQuickstartsServerSide) or one of the [OpenPass SDKs](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassSDKs) to get an identity token.
+
+1. Extract the user's email address from the `email` claim of the identity token. For details, see [OpenPass Authentication Tokens](https://partner.thetradedesk.com/v3/portal/openpass/doc/OpenPassTokensAuth).

sidebars.js

@@ -312,6 +312,7 @@ const fullSidebar = [
         'ref-info/ref-integration-approaches',
         'ref-info/ref-tokens',
         'ref-info/ref-server-side-token-generation',
+        'ref-info/ref-integration-sso-providers',
       ],
     },