Friday, January 29, 2010

Flashy New Authentication: AuthSub Adds Support for ActionScript

Today, we are happy to announce the launch of AuthSub for ActionScript, a new component of the well-known AuthSub authentication interface for the Google Data Protocol. This new feature enables Flash and Silverlight applications to access data securely on behalf of a user, without the application ever seeing the user’s private login credentials.

To use AuthSub for Actionscript (or as we’re calling it, AuthSubAS), first ensure that the API you are accessing offers cross-domain support. To do this, simply check for a crossdomain.xml file like those offered by the Picasa Web Albums Data API and the YouTube Data API. Then, if the API supports cross-domain scripting, you can simply point your Flash app to https://accounts.googleapis.com/accounts/AuthSub{Request,SessionToken} and authenticate. If you’re familiar with how AuthSub for JavaScript works, AuthSubAS works in much the same way. For more information, see the AuthSub for ActionScript guide and check out this code sample.

Currently, cross-domain requests are only supported by the Picasa Web Albums Data API and the YouTube Data API.  However, as more APIs offer cross-domain scripting through an open crossdomain.xml file, the AuthSubAS authentication will work automatically. For questions about a specific API or to encourage your API to provide AuthSubAS support sooner, visit your API’s support group in Google Groups.

15 comments:

  1. Thank you, thank you, thank you.

    Where will you be posting announcements of the additional APIs?

    Again, thank you.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Cool. Now do an OAuth for applications that allows applications to register. That security warning is a real disincentive to use OAuth for apps and to consider ClientLogin instead, despite the faster expiration of ClientLogin tokens.

    ReplyDelete
  4. Is anyone aware of an effort to port the Google Data Protocol Client Libraries to Actionscript?

    ReplyDelete
  5. @Geoffrey - Additional announcements will be posted here and on the API's own blog (if it has one).

    @DJC - We don't have any plans to write an ActionScript library in the near future. If you know of an awesome one or write one yourself, please let us know!

    ReplyDelete
  6. @Zach - Thank you for the info.

    ReplyDelete
  7. I guess the ranty blog post I wrote last week can be updated, thanks guys! Now how about encryption support with ClientLogin authentication?

    ReplyDelete
  8. Where do we find the appropriate crossdomain.xml file to load for a given service? Specifically, I'm looking for Google Finance.

    ReplyDelete
  9. I notice mention of OAuth is conspicuously absent. This can of course be done, since a crossdomain file allowing an Authorization header will effectively allow both AuthSub and OAuth.

    However, it occurred to me trying to use OAuth in ActionScript is very iffy, since it's easy to decompile a swf and take out the consumer secret. Is this the reason you don't seem to be "officially" supporting OAuth from AS?

    Is there any way around this problem? I don't see one that is secure.

    ReplyDelete
  10. @Robert - Finance doesn't support crossdomain.xml quite yet, but you can lobby for it in the Finance support group at http://groups.google.com/group/google-finance-apis

    ReplyDelete
  11. AuthSubRevokeToken doesn't work

    https://accounts.googleapis.com/accounts/AuthSubRevokeToken doesn't take POST like the other methods

    https://google.com/accounts/AuthSubRevokeToken doesn't have a crossdomain.xml file

    how is one supposed to revoke the token?

    ReplyDelete
  12. Does Google Docs Api support crossdomain?

    ReplyDelete