Hi,

I am writing to ask some details about your authentication API. We are
currently using AuthSub to authenticate users for our site using their
existing Google accounts - which is great, because it makes the
process very easy.
The only thing is that our beta testers seem to be somehow reticent in
using this form of authentication, because the lowest data-sharing-
level API that we have from Google shares too much. The API that we
use is the Contacts on, as it allows retrieving the username of the
logged in user. But this raises a lot of privacy issues regardless of
our very strict policy ("no data besides email and full name will be
retrieved from your Google account").
Is there another way to use AuthSub but have a lower level for the
data sharing? Or is there any work in progress for providing something
close to 'just authentication' via the AuthSub API?

(The application is private-beta, and Romanian-only for the moment -
but if you want to take a look at it we can mail you access
credentials - noi (at) dreamproduction.ro)

Thank you and have a nice day!
Mile Rosu

Hi Mile,

I'm not sure if I completely understand your use case.  Why do you
need to use the Google Data APIs if you're only interested in a user's
name and email but don't actually interact with his/her data?

AuthSub provides authorization to a user's Google Data
for a particular service (contacts,calendars, documents, picasa
photos, etc.)
depending on the scope parameter you set. It's not intended as an
authentication method as you described.

What you _can_ do is request a scope that is narrower than
http://www.google.com/m8/feeds/:

https://www.google.com/accounts/AuthSubRequest?scope=http%3A%2F%2Fwww...

By using scope=http://www.google.com/m8/feeds/groups, your token
will only work with the Contact Groups feed.  So for example, trying
to
retrieve the user's contact list (GET http://www.google.com/m8/feeds/contacts/default/full)
will not work.  Instead, you'll get an "Invalid scope" error.  The
good news is that the groups
feed only returns a user's contact groups.  These aliases don't expose
_who_  is in the group.
I think this is somewhat better than exposing their entire contact
listing, but still exposes
some of their data.

Again, the purpose of AuthSub is to be able to access user data so
there's no way
to completely cut that 'sharing' out.

Does this help?

Eric

On Jun 5, 6:22 am, Mile <mil...@gmail.com> wrote:

Hi Eric,

Thanks a lot for the answer and your suggestion - indeed, requesting
the groups is better :) so we changed our request url to do that.

The only thing is that when a user has to approve access for our
application:
- the screen shows that we are connecting to the CONTACTS api
- the only indication that we are requesting the groups is one word in
the link: Contacts http://www.google.com/m8/feeds/groups (which is not
very obvious to the normal user)
- and the link is not working (authorization required - 401) - which
is strange because I am authenticated :D.

Having the scope of the request made more clear for the user would be
great.

Also, being able to see what data will be accessible to the
application if I approve it (through the link that is not working now)
would be great. Now we have to explain to the users that we don't have
access to their contact addresses. If the link would work and they
would see that the data we can access is just the list ("My contacts",
"Most contacted") it would be a lot more powerfull.

Have a nice day,
 Irina

Hi Irina,

On Jul 20, 3:49 am, Irina <irina.dumitra...@gmail.com> wrote:

You _are_ connecting to the Contacts API--just narrowing
the scope of the data your token can access.

This has been updated for the case of requesting multiple scopes:

Accesss to Google Base AND Google Contacts data:
https://www.google.com/accounts/AuthSubRequest?scope=http%3A%2F%2Fwww...

You'll notice that the label still says 'Google Contacts', but the
link points to
iGoogle (because Contacts is part of GMail, Google Health, iGoogle,
etc. and
doesn't have a central location).  I imagine this same fix will be
implemented
for the single-scoped case soon.

My suggestion was somewhat of a hack to find a user's
email address.  Again, AuthSub is not intended to be an
authentication method.

Hi Eric,

Thanks for the response!

- regarding the scope of the access token - as a user, I consider it
quite important as the data that I share with the application varies
with respect of that token - but probably there are not many apps that
request access to contacts without fully accessing the contacts data,
so I understand that making the scope more clear is not a big issue
for you

- it's great to find out that the feed link will be valid soon

As a sidenote, we've open sourced our code for doing authentication
via the contact groups' AuthSub api - it's a CakePHP component:
http://code.google.com/p/oka/ :)

Have a nice day,
 Irina

On Jul 22, 2:34 am, "Eric (Google)" <api.e...@google.com> wrote:

Previous message continued:
- isn't there a change that providing also an authentication api (via
the same mechanism) would be a good idea? I know at least 2 apps that
use the auth-via-authorization tweak :D

Hi Irina,

Thanks for the comments.

Developers often request the ability to authenticate
users (and not just authorize data).  I think something
like OpenID would be a decent solution for Google Accounts.
and I suspect the team will weigh its options.

It's always great to hear use cases :)

Eric

On Aug 1, 2:09 am, Irina <irina.dumitra...@gmail.com> wrote:

Hi Eric,

I'm glad to hear such an encouraging response!

In the meantime, I see that the UI for the access confirmation screen
was changed and I suspect that the scope of the request is not shown
anymore :(

This is the transcript for our site, for which we request
http://www.google.com/m8/feeds/groups :

The site lista.lu is requesting access to your Google Account for the
product(s) listed below.

        Google Contacts - http://www.google.com/m8/feeds