I was trying to achieve an openID login with google and then get an acces token to access google apis (such google plus, or drive)
The first attemp was successful but with a big problem:
Make the openId stuff, and the user is redirected to google to identify himself, then return to my app identified.
Make the oAuth stuff with google apis, redirect the user again to identify himself and cameback with a code, then exchange the code for the access token needed to call google apis.
The user needs to identify twice. That's not good.
I read and tryed the google hybrid openId and oAuth. All links there points to the deprecated oAuth1 interface, and i cant make it work, i get the user identified but not request_token to continue the oAuth stuff.
So i have a couple of questions:
Is there a way to identify the user agains google openId and at the same time get the users consent to access google apis?
Is the hybrid protocol still working with oAuth2 and new google apis?
I'm on the good way or im missing something?
I need both openId and oAuth beacouse the application needs to be in the google marketplace and is a must to login users with openId, and i need to hit some APIs that need oAuth2 access_token.
Thanks!
Why do you need to work on both OpenID and OAuth side by side, and have two login screens? If you simply use OAuth 2.0 workflow, the user needs to key in his credentials just once and you can do anything that you want to.
Once the user consents to the login/permissions screen in the OAuth workflow, your app will get an access token. If you need any client info for, say, a welcome user screen - you just need to hit the https://www.googleapis.com/oauth2/v1/userinfo endpoint with the access token and it will give you the user's public information. So, in short you can do pretty much most of the things with the OAuth flow, and with the user logging in just once.
Good luck! Feel free to follow up with more questions.
OK, finally i have a working solution, and this is the "magic" url that make the trick for me:
String url = "https://accounts.google.com/o/oauth2/auth?"
+ "client_id="+ GoogleapiAuthHelper.CLIENT_ID +"&"
+ "response_type=code&"
+ "scope=openid%20profile%20https://www.googleapis.com/auth/plus.me&"
+ "redirect_uri="+GoogleapiAuthHelper.REDIRECT_URI+ "&"
+ "state=security_token%3Dasdalskjqwo91231029";
if( userService.getCurrentUser() != null ){
url += "&login_hint=" + userService.getCurrentUser().getEmail();
}
Steps:
First of all, identify the user with openId, the users go to login screen and type his credentials.
User return idenfied to the application
Redirect the user to the URL above. The param login_hint makes that the user dosen't need to idenfity again and the response to this url is a redirection with an oAuth code, wich you can easily exchange for the desirec access token.
After reading all Google Plus API, Google Drive API, oAuth2 and openId documentation, the doc that point me to the rigth direction was https://developers.google.com/accounts/docs/OAuth2Login?hl=es
I don't know if this is the best way to achieve openId + oAuth, but it works and i cant make it work in any other way. Hope this can help someone.
Related
I've made an app who use OAuth from Google to access to Google Sites API. It works perfectly, but I want less user action, especially the first time when you must accept google's permissions, get authorization token, to get access and refresh token.
I want to know if it's possible to avoid all this steps (for users, and do this behind the application), in the code with HTTP requests for example or google libs, and just have to inform a google account (mail/password) to get an access/refresh token.
Have you any tips or knowledge about this ?
Thanks by advance
As i was using google analytics api i made some research and the minimum process is:
user click authenticate link on your web page, then is redirected to external google webpage when is prompted securely for login and password. and nothing else.
This oauth refresh token you can automate then - read about this in google docs - there is some info about this. i made all by changing a little simple hello world analytics app from google code.
As i remember You had to know what class in php is, and changing oauth wrapper in simple apps. It can store and process refresh tokens automatically - user needs to enter login and password as i said but it can be stored in cookies, so made once.
we have users who authenticated via the google hybrid Openid (OpenId+OAuth1 [0]) protocol. To use the newer APIs from google we have to change to oauth2 based authentication. Is there a way to know after an oauth2 login if he is one of our openid users?
the ids look very different. A userid in google_oauth2 looks like this:
12345678901234567890
and a userid in google hybrid looks like this:
https://www.google.com/accounts/o8/id?id=AItOawnlIGFin5I0F059UdqSYbK9JmA99e99ms
Is there some way to fit this together? Is there an oauth based call i could make to retrieve such an openid userid? Since we use it for login purposes i would not want to put 2 google login buttons on the login page. I can hardly imagine our users to understand this.
Is there a common strategy to resolve such issues?
[0] https://developers.google.com/accounts/docs/OpenID#oauth
Google talks about a combination OpenId/OAuth call that should do what you need. However, all the links in the document are to OAuth 1.0. So you will need to investigate to make sure it works with OAuth 2.0, since Google's deprecated the OAuth 1.0 interface.
Ok, it seems i have a way to do it. Have to implement and check but theoretically it should work like this:
send user to oauth2 login
-> if known, log him in
-> if unknown send him to openid with immediate mode
-> if successfull log him in, associate the former oauth connection
-> if error the user is unknown and will be created with his oauth token
Immediate mode could also fail if the user was not logged in with google, but since he just came back from the oauth2 dance he would have to have logged out in between which is very unlikely since he gets redirected immediately.
Im having a bit of trouble figuring out how to get an OAuth access token for a Yahoo user who has created an account with Google or Facebook Sign-in. I've followed the OAuth flow described in the documentation, however this seems to only apply to users who have created a Yahoo account directly.
Has anyone else had trouble getting an access token for a user who has used Google or Facebook to sign into Yahoo?
I've looked at the OAuth + OpenID flow but I'm having trouble at the point where I should perform discovery. How would one receive an request_token for yahoo with a user who signs in via a Google OpenID?
Anyone else experienced this issue?
The only way I can see this happening is if Yahoo at some point allows Facebook and Google authentication in the OAuth authorization step. That would at least be the simplest way forward for an API consumer application.
The OAuth + OpenID flow will not help you I am afraid, it only works for Yahoo OpenIDs. I guess it could at least theoretically work for Google OpenIDs (if Yahoo implemented that), but Facebook is not even an OpenID provider.
I think Yahoo's stance on this is sound. They provide API access to users that they themselves have provisioned. I don't think you will find many API providers out there who will have a different strategy.
I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.
I'm really new to this oauth stuff. I want to access a user's google reader liked items feed.
This blog says that oauth doesn't work (yet) with google reader. The working way seems to be to get the user's google credentials (email, password) directly, and login directly to google. This also gives me access to the rest of their services.
Is there a better way? I sure hope so, because ClientLogin is captchad. Not to mention I don't want the user to have to trust me with their google credentials.
Yes, there is a way ... but you still need the user's Google credentials to access the API. On the server-side, you can GET a secure token and authentication key ... these are then passed along with GET and POST requests to the Google Reader API to do whatever you want.
Here's a fairly robust C# tutorial (read the comments to make sure you're doing authentication right).
Here's an open-source PHP library that partially implements the Google Reader API without oAuth.
Authentication to Google Reader with Oauth is now available.