OAuth 2.0, CORS and the GR API

186 views
Skip to first unread message

Dirkjan Ochtman

unread,
Apr 28, 2012, 11:13:03 AM4/28/12
to foug...@googlegroups.com
Hi there,

I tried to take a whack at building GR client in JavaScript today. However, I can't seem to get it to work with the modern JS authentication API [1] -- the older stuff seems to be deprecated, so I figured I'd try the new one. First, the gapi.client.request() stuff seems to be limited to just www.googleapis.com, so that was no use. Then I tried using jQuery's $.ajax().

When I try to pass my OAuth token in the Authorize header, the request is no longer "simple" according to the CORS reasoning. So, preflighting kicks in and does an OPTIONS request, which gets a 405 Method Not Allowed from the API.

When reading up on this stuff, I found [2], which also mentions that I could just pass the access_token as a GET parameter. That seemed nice enough and it resulted in a 200 OK response with a seemingly functional X-Reader-User header, but it also has X-XSS-Protection: 1; mode-block and it has an empty response body.

Should I just revert back to the AuthSub flow, or is there some way to get this working? JSONP didn't seem to work out, either...

Cheers,

Dirkjan

[1] http://code.google.com/p/google-api-javascript-client/
[2] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04

Dirkjan Ochtman

unread,
Jun 7, 2012, 2:37:10 AM6/7/12
to foug...@googlegroups.com
On Saturday, April 28, 2012 5:13:03 PM UTC+2, Dirkjan Ochtman wrote:
Should I just revert back to the AuthSub flow, or is there some way to get this working? JSONP didn't seem to work out, either...

Any news on this?

Cheers,

Dirkjan
Reply all
Reply to author
Forward
0 new messages