Authentication (in chrome extension and in web app)
1,152 views
Skip to first unread message
Bit Liner
Feb 27, 2011, 8:53:56 PM2/27/11
to Chromium-extensions
Hi,
i have a web app on google app engine, and i'm creating a chrome
extension that interacts with web app.
this chrome extension executes some ajax call to web app, but some of
ajax call is protected by authentication.
Have you got some advises for me about how implementing the
authentication in the web app and in chrome extension?
PS:
i think to not use users service for authentication offered by gae
i have a web app on google app engine, and i'm creating a chrome
extension that interacts with web app.
this chrome extension executes some ajax call to web app, but some of
ajax call is protected by authentication.
Have you got some advises for me about how implementing the
authentication in the web app and in chrome extension?
PS:
i think to not use users service for authentication offered by gae
Edward Gerhold
Feb 28, 2011, 6:05:30 PM2/28/11
to Chromium-extensions
Hello.
I don´t use app engine today, but i think this will deal with OAuth
like the other Google Services do, or don´t they? In the chrome
extensions documentation you can find an OAuth tutorial with some
sample libraries, which you could and should use. See
http://code.google.com/chrome/extensions/tut_oauth.html:
--- excerpt -- Getting started
First, copy over the three library files from the Chromium source tree
at .../examples/extensions/oauth_contacts/:
chrome_ex_oauth.html - interstitial page for the oauth_callback URL
chrome_ex_oauth.js - core OAuth library
chrome_ex_oauthsimple.js - helpful wrapper for chrome_ex_oauth.js
Place the three library files in the root of your extension directory
(or wherever your JavaScript is stored). Then include both .js files
in your background page in the following order:
<script type="text/javascript" src="chrome_ex_oauthsimple.js"></
script>
<script type="text/javascript" src="chrome_ex_oauth.js"></script>
Your background page will manage the OAuth flow.
--- excerpt ---
The OAuth documentation can be found at:
http://code.google.com/intl/de-DE/apis/accounts/docs/OAuth.html
--- excerpt ---
At a basic level, the process is as follows:
Your application requests access and gets an unauthorized request
token from Google's authorization server.
Google asks the user to grant you access to the required data.
Your application gets an authorized request token from the
authorization server.
You exchange the authorized request token for an access token.
You use the access token to request data from Google's service access
servers.
--- excerpt ---
Hint: The calls are made with parameters behind the url, where you
send the info with. Look for the URL/GET parameters used for the
Requests, you have to implement these variables to pass them to the
URL to make request. The rest should be easy. It looks like much more
than it is, if you start reading the documentation.
1/3: Getting the request token
https://www.google.com/accounts/OAuthGetRequestToken
2/3: Authorize the request token
https://www.google.com/accounts/OAuthAuthorizeToken
3/3: Upgrade to an access token
https://www.google.com/accounts/OAuthGetAccessToken
Try these addresses in your Browser, the error message returning will
give you a hint about the missing variables.
The variables, i don´t know them by heart are these "oauth_nonce,
oauth_timestamp, ..." You´ll find them!!! They are the only vars used.
But i do not know these to list them for you here. I have to practice
that, too. Each request of the three has it´s own couple of these.
From the first request you get the token, you use in the second
request, etc. Sorry, don´t remember more vars, even not consumer or
consumer_key, which would be anonymous for the extension. Please look
at the documentation yourself, you´ll have to read it anyways. The
most important things about the urls/requests are said, the rest will
be obvious for you, i guess.
For the extension, using the chrome extensions oauth tutorial and libs
is an option. We could (should) use it before writing an own library,
which consists of parameter structures and making the requests, for
me.
Wish you much luck
Edward
I don´t use app engine today, but i think this will deal with OAuth
like the other Google Services do, or don´t they? In the chrome
extensions documentation you can find an OAuth tutorial with some
sample libraries, which you could and should use. See
http://code.google.com/chrome/extensions/tut_oauth.html:
--- excerpt -- Getting started
First, copy over the three library files from the Chromium source tree
at .../examples/extensions/oauth_contacts/:
chrome_ex_oauth.html - interstitial page for the oauth_callback URL
chrome_ex_oauth.js - core OAuth library
chrome_ex_oauthsimple.js - helpful wrapper for chrome_ex_oauth.js
Place the three library files in the root of your extension directory
(or wherever your JavaScript is stored). Then include both .js files
in your background page in the following order:
<script type="text/javascript" src="chrome_ex_oauthsimple.js"></
script>
<script type="text/javascript" src="chrome_ex_oauth.js"></script>
Your background page will manage the OAuth flow.
--- excerpt ---
The OAuth documentation can be found at:
http://code.google.com/intl/de-DE/apis/accounts/docs/OAuth.html
--- excerpt ---
At a basic level, the process is as follows:
Your application requests access and gets an unauthorized request
token from Google's authorization server.
Google asks the user to grant you access to the required data.
Your application gets an authorized request token from the
authorization server.
You exchange the authorized request token for an access token.
You use the access token to request data from Google's service access
servers.
--- excerpt ---
Hint: The calls are made with parameters behind the url, where you
send the info with. Look for the URL/GET parameters used for the
Requests, you have to implement these variables to pass them to the
URL to make request. The rest should be easy. It looks like much more
than it is, if you start reading the documentation.
1/3: Getting the request token
https://www.google.com/accounts/OAuthGetRequestToken
2/3: Authorize the request token
https://www.google.com/accounts/OAuthAuthorizeToken
3/3: Upgrade to an access token
https://www.google.com/accounts/OAuthGetAccessToken
Try these addresses in your Browser, the error message returning will
give you a hint about the missing variables.
The variables, i don´t know them by heart are these "oauth_nonce,
oauth_timestamp, ..." You´ll find them!!! They are the only vars used.
But i do not know these to list them for you here. I have to practice
that, too. Each request of the three has it´s own couple of these.
From the first request you get the token, you use in the second
request, etc. Sorry, don´t remember more vars, even not consumer or
consumer_key, which would be anonymous for the extension. Please look
at the documentation yourself, you´ll have to read it anyways. The
most important things about the urls/requests are said, the rest will
be obvious for you, i guess.
For the extension, using the chrome extensions oauth tutorial and libs
is an option. We could (should) use it before writing an own library,
which consists of parameter structures and making the requests, for
me.
Wish you much luck
Edward
Edward Gerhold
Feb 28, 2011, 6:15:16 PM2/28/11
to Chromium-extensions
I hate writing down more, coz i f*** up the newsfeed and the emails
with.
I´ll stop that and take a little more time for writing, next time.
Of course i forgot to state that the correct HTTP header is required,
too.
It is easy to create it, but don´t overlook that in the chapters.
The other thing i didn´t point to was the signature, i saw it when
hitting
the first url and remembered.
Ok, next time i´ll take more time to research again what i write.
Before i forget, the extension can not handle the url parameters, but
that
is explained in the docs, too, how that works.
Have fun with implementing the oauth protocol. You can use it then
for
many many google services. Without, many things will be only a theory,
coz you ain´t authorized for calls ;-)
Eddie
with.
I´ll stop that and take a little more time for writing, next time.
Of course i forgot to state that the correct HTTP header is required,
too.
It is easy to create it, but don´t overlook that in the chapters.
The other thing i didn´t point to was the signature, i saw it when
hitting
the first url and remembered.
Ok, next time i´ll take more time to research again what i write.
Before i forget, the extension can not handle the url parameters, but
that
is explained in the docs, too, how that works.
Have fun with implementing the oauth protocol. You can use it then
for
many many google services. Without, many things will be only a theory,
coz you ain´t authorized for calls ;-)
Eddie
Reply all
Reply to author
Forward
0 new messages