One of the most exciting things about the architecture of the web is how easily it supports mashups—URLs, IFRAMEs, XHR, and more make it easy to build great new services on top of building blocks from others. As more and more people use the web for non-public data, we need new techniques to secure those building blocks. That’s where OAuth comes in—an open, standard way for users to grant permission for an application to access part of their account.
Since we announced support for OAuth in 2008, we've seen tremendous usage growth in our APIs that require user authorization, like Calendar and Docs. While the spec isn't completely finalized, Google is pleased to announce our experimental support of an easier way for developers to obtain user authorization for our APIs: OAuth 2.0 with bearer tokens. Whether you use our updated client libraries or just write to the protocol, you should be able to do more with less code.
In addition to supporting a simplified protocol, we're also introducing a simpler, cleaner consent page for OAuth 2.0:
Google believes in open systems that give users value, transparency and control. We hope the OAuth 2.0 protocol helps developers deliver just that: powerful applications that make use of user data without compromising on safety or security. Check out our documentation to get started with OAuth 2.0.
Wow, good job Google. Hope it rolls out to all the APIs quickly!
ReplyDeleteGreat job on this rollout! It's nice to see Google pushing the new specification.
ReplyDeleteWhich OAuth2 revision implemented?
ReplyDeleteThe current implementation is for version 10 of the OAuth 2 protocol:
ReplyDeletehttp://tools.ietf.org/html/draft-ietf-oauth-v2-10
The specification is converging rapidly and we are committed to support the final version. Backward compatibility will be maintained.
awesome, just when i needed it the most :) thanks!
ReplyDeleteNo more OAuth signatures! Yay!
ReplyDeleteSweet! Looking forward to the docs for oauth 2.0 for installed apps :)
ReplyDeleteSweeeeeet.
ReplyDeleteThen why doesn't Google support these kinds of "exciting" mashups? For example, why did Google Voice block iGoogle from accessing its mobile version in an iframe over a year ago and has yet to provide a different option?
ReplyDeleteMany people have to use older browsers to view our iGoogle pages properly. Google seems to have abandoned iGoogle.
A single page where we can view all of our inboxes and such is great but I guess Google don't get to shove as many ads in our faces that way. That's what it all comes down to, the all mighty dollar.
I'm having an issue using the APIs. The examples show a request to access to the user's entire set of contacts. But I don't want that, I just want to know about the user.
ReplyDeleteI just want to allow people to login to my website google's oauth.
Can someone help by pointing to the documentation for the API of "just get basic information for a user"
What I want is
1. to ask the user just for permission to know basic information about them
2. an API to get that basic information
@Matt:
ReplyDeleteI want exactly the same thing that you want. But I think you are supposed to use OpenID right now. The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.
Will Google support login for basic user informations with OAuth 2.0 for Google APIs?
@Nils Magnus:
ReplyDeleteTake another look:
http://code.google.com/apis/accounts/docs/OAuth2.html#IA
And post in the forums if you've got questions about it!
@Matt and Jambi,
Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)
Hi,
ReplyDeleteFor native applications
When use redirect_uri:redirect_uri=urn:ietf:wg:2.0:oob, return exception invalid_request: Invalid parameter value for redirect_uri: Missing authority: urn:ietf:wg:2.0:oob
The correct thing redirect_uri=urn:ietf:wg:oauth:2.0:oob
It's a typo?
For server-side applications
I did a small example, see http://gooogl.heroku.com
Thanks for job!
Any idea if this has any impact on 2-Legged OAuth?
ReplyDelete@Andrew
ReplyDeleteGreat news! How will it look like? Will there be a scope for basic user informations? I can´t wait ^.^
I have another question:
ReplyDeleteIs it somehow possible to pass a redirect URL which is qualified for a GWT History token? I basically need to pass a hashmark within the URL, but it doesn´t seem to work. Neither with the character "#" or with the encoded type "%23". It would be important for me since I have to handle the different codes I get from facebook or google.
kind regards, Michael
@Jambi
ReplyDeleteOAuth 2 provides a parameter called "state" that can be used to pass data to the server and back. Would that work for you?
@Marius:
ReplyDeletethanks for the hint, but I need the state in the URL of the login redirect on the client. It´s important for me to have a token with a hashmark so I can combine it with the GWT history mechanism. The GWT History mechanism checks the URL for #token. It works with facebook. My workaround is, that I check the URL for a "&code=" string and after that I check if there is a #oauth_facebook token in the URL. If there´s no facebook token, I just append a new #oauth_google token. After that my history mechanism can handle the rest. It´s a bit dirty, but it works ;) ... I hope I can find a better solution, but I think Google should allow the Hashmarks in the URLs because in my opinion it´s a reasonable way to handle the login with the history mechanism in ajax apps.
kind regards, Michael
@Andrew
ReplyDeleteIs there an eta on the PHP library release?
Thanks sapper!
Speaking of a PHP library, it'd be nice if there were a simple sample open-source web app example, too.
ReplyDeleteIts not working for installed APP, if I set redirect_uri=urn:ietf:wg:oauth:2.0:oob i get a redirect mismacth error this happens when i set the same parameter in blank on the api console or when i put any url and it shows an error when i try to set it to urn:ietf:wg:oauth:2.0:oob
ReplyDeleteomarenm, can you please make sure the client is registered as an "Installed application"?
ReplyDeleteHow to I register an application to use Blogger Oauth2 api? Where is the url to register my application? The one I found here https://code.google.com/apis/console/
ReplyDeletedoes not include Blogger as one of the available services.
Is it possible to use OAuth 2.0 + OpenID for the hybrid protocol?
ReplyDeleteFrom the request parameters and examples listed here http://code.google.com/apis/accounts/docs/OpenID.html#oauth, it seems the hybrid only supports OAuth 1.0. (openid.oauth.consumer expects consumer key, and there is no client_id)
Am I wrong? Please tell me I'm wrong.
@Andrew: any update on when oauth 2.0 will provide basic user info by default? All I need is something to uniquely identify the users logging in, doesn't even have to be access to email/username.
Right now it seems better to have my own login system, which I was hoping to avoid, and use oauth 2.0 for google api access only when needed.
Is it possible to use OAuth 2.0 + OpenID for the hybrid protocol?
ReplyDeleteFrom the request parameters and examples listed here http://code.google.com/apis/accounts/docs/OpenID.html#oauth, it seems the hybrid only supports OAuth 1.0. (openid.oauth.consumer expects consumer key, and there is no client_id)
Am I wrong? Please tell me I'm wrong.
@Andrew: any update on when oauth 2.0 will provide basic user info by default? All I need is something to uniquely identify the users logging in, doesn't even have to be access to user's email/username.
hiii i dont know where to post but i am posting here please help ... when i try to create clientid by using redirect uris i am getting error of invalid. i am giving this uri
ReplyDeletehttp://myserver/directory/gplus/
@Andrew: I have a similar request as @srimonti. I just need to validate the user and give them access to our Hosted Domain apps resources, but without the whole confirm/approve process.
ReplyDeleteWhen will this be available through oAuth?
Thanks!
Hello.
ReplyDeleteIts possible to convert a google cookie-based session to the oauth2 token?
If i have the session cookies, can i get the token?
Thanks!