Monday, March 14, 2011

Making auth easier: OAuth 2.0 for Google APIs

One of the most exciting things about the architecture of the web is how easily it supports mashups—URLs, IFRAMEs, XHR, and more make it easy to build great new services on top of building blocks from others. As more and more people use the web for non-public data, we need new techniques to secure those building blocks. That’s where OAuth comes in—an open, standard way for users to grant permission for an application to access part of their account.

Since we announced support for OAuth in 2008, we've seen tremendous usage growth in our APIs that require user authorization, like Calendar and Docs. While the spec isn't completely finalized, Google is pleased to announce our experimental support of an easier way for developers to obtain user authorization for our APIs: OAuth 2.0 with bearer tokens. Whether you use our updated client libraries or just write to the protocol, you should be able to do more with less code.

In addition to supporting a simplified protocol, we're also introducing a simpler, cleaner consent page for OAuth 2.0:


Google believes in open systems that give users value, transparency and control. We hope the OAuth 2.0 protocol helps developers deliver just that: powerful applications that make use of user data without compromising on safety or security. Check out our documentation to get started with OAuth 2.0.

30 comments:

  1. Wow, good job Google. Hope it rolls out to all the APIs quickly!

    ReplyDelete
  2. Great job on this rollout! It's nice to see Google pushing the new specification.

    ReplyDelete
  3. Which OAuth2 revision implemented?

    ReplyDelete
  4. The current implementation is for version 10 of the OAuth 2 protocol:
    http://tools.ietf.org/html/draft-ietf-oauth-v2-10

    The specification is converging rapidly and we are committed to support the final version. Backward compatibility will be maintained.

    ReplyDelete
  5. awesome, just when i needed it the most :) thanks!

    ReplyDelete
  6. No more OAuth signatures! Yay!

    ReplyDelete
  7. Sweet! Looking forward to the docs for oauth 2.0 for installed apps :)

    ReplyDelete
  8. Then why doesn't Google support these kinds of "exciting" mashups? For example, why did Google Voice block iGoogle from accessing its mobile version in an iframe over a year ago and has yet to provide a different option?

    Many people have to use older browsers to view our iGoogle pages properly. Google seems to have abandoned iGoogle.

    A single page where we can view all of our inboxes and such is great but I guess Google don't get to shove as many ads in our faces that way. That's what it all comes down to, the all mighty dollar.

    ReplyDelete
  9. Here's an end-to-end sample of the OAuth 2 authorization flow in PHP: https://github.com/jcleblanc/oauth/tree/master/oauth2-php-google

    ReplyDelete
  10. I'm having an issue using the APIs. The examples show a request to access to the user's entire set of contacts. But I don't want that, I just want to know about the user.

    I just want to allow people to login to my website google's oauth.

    Can someone help by pointing to the documentation for the API of "just get basic information for a user"

    What I want is
    1. to ask the user just for permission to know basic information about them
    2. an API to get that basic information

    ReplyDelete
  11. @Matt:

    I want exactly the same thing that you want. But I think you are supposed to use OpenID right now. The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.

    Will Google support login for basic user informations with OAuth 2.0 for Google APIs?

    ReplyDelete
  12. @Nils Magnus:

    Take another look:

    http://code.google.com/apis/accounts/docs/OAuth2.html#IA

    And post in the forums if you've got questions about it!

    @Matt and Jambi,

    Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)

    ReplyDelete
  13. Hi,

    For native applications

    When use redirect_uri:redirect_uri=urn:ietf:wg:2.0:oob, return exception invalid_request: Invalid parameter value for redirect_uri: Missing authority: urn:ietf:wg:2.0:oob

    The correct thing redirect_uri=urn:ietf:wg:oauth:2.0:oob

    It's a typo?

    For server-side applications

    I did a small example, see http://gooogl.heroku.com

    Thanks for job!

    ReplyDelete
  14. Any idea if this has any impact on 2-Legged OAuth?

    ReplyDelete
  15. @Andrew

    Great news! How will it look like? Will there be a scope for basic user informations? I can´t wait ^.^

    ReplyDelete
  16. I have another question:

    Is it somehow possible to pass a redirect URL which is qualified for a GWT History token? I basically need to pass a hashmark within the URL, but it doesn´t seem to work. Neither with the character "#" or with the encoded type "%23". It would be important for me since I have to handle the different codes I get from facebook or google.

    kind regards, Michael

    ReplyDelete
  17. @Jambi

    OAuth 2 provides a parameter called "state" that can be used to pass data to the server and back. Would that work for you?

    ReplyDelete
  18. @Marius:

    thanks for the hint, but I need the state in the URL of the login redirect on the client. It´s important for me to have a token with a hashmark so I can combine it with the GWT history mechanism. The GWT History mechanism checks the URL for #token. It works with facebook. My workaround is, that I check the URL for a "&code=" string and after that I check if there is a #oauth_facebook token in the URL. If there´s no facebook token, I just append a new #oauth_google token. After that my history mechanism can handle the rest. It´s a bit dirty, but it works ;) ... I hope I can find a better solution, but I think Google should allow the Hashmarks in the URLs because in my opinion it´s a reasonable way to handle the login with the history mechanism in ajax apps.

    kind regards, Michael

    ReplyDelete
  19. @Andrew
    Is there an eta on the PHP library release?
    Thanks sapper!

    ReplyDelete
  20. Speaking of a PHP library, it'd be nice if there were a simple sample open-source web app example, too.

    ReplyDelete
  21. Its not working for installed APP, if I set redirect_uri=urn:ietf:wg:oauth:2.0:oob i get a redirect mismacth error this happens when i set the same parameter in blank on the api console or when i put any url and it shows an error when i try to set it to urn:ietf:wg:oauth:2.0:oob

    ReplyDelete
  22. omarenm, can you please make sure the client is registered as an "Installed application"?

    ReplyDelete
  23. How to I register an application to use Blogger Oauth2 api? Where is the url to register my application? The one I found here https://code.google.com/apis/console/
    does not include Blogger as one of the available services.

    ReplyDelete
  24. Is it possible to use OAuth 2.0 + OpenID for the hybrid protocol?

    From the request parameters and examples listed here http://code.google.com/apis/accounts/docs/OpenID.html#oauth, it seems the hybrid only supports OAuth 1.0. (openid.oauth.consumer expects consumer key, and there is no client_id)

    Am I wrong? Please tell me I'm wrong.

    @Andrew: any update on when oauth 2.0 will provide basic user info by default? All I need is something to uniquely identify the users logging in, doesn't even have to be access to email/username.

    Right now it seems better to have my own login system, which I was hoping to avoid, and use oauth 2.0 for google api access only when needed.

    ReplyDelete
  25. Is it possible to use OAuth 2.0 + OpenID for the hybrid protocol?

    From the request parameters and examples listed here http://code.google.com/apis/accounts/docs/OpenID.html#oauth, it seems the hybrid only supports OAuth 1.0. (openid.oauth.consumer expects consumer key, and there is no client_id)

    Am I wrong? Please tell me I'm wrong.

    @Andrew: any update on when oauth 2.0 will provide basic user info by default? All I need is something to uniquely identify the users logging in, doesn't even have to be access to user's email/username.

    ReplyDelete
  26. hiii i dont know where to post but i am posting here please help ... when i try to create clientid by using redirect uris i am getting error of invalid. i am giving this uri

    http://myserver/directory/gplus/

    ReplyDelete
  27. @Andrew: I have a similar request as @srimonti. I just need to validate the user and give them access to our Hosted Domain apps resources, but without the whole confirm/approve process.

    When will this be available through oAuth?

    Thanks!

    ReplyDelete
  28. Hello.
    Its possible to convert a google cookie-based session to the oauth2 token?
    If i have the session cookies, can i get the token?
    Thanks!

    ReplyDelete