Oauth support in Android
111 views
Skip to first unread message
Davy De Waele
Apr 10, 2011, 6:08:24 AM4/10/11
to google-api-java-client
Hi,
I just started looking at the google-api-java-client as I'm interested
in its Android support.
However, despite the fact that the library also supports the OAuth
authentication mechanism, I didn't find any sample that uses OAuth
with google-api-java-client on the Android platform.
There are lots of OAuth examples as standalone applications, and the
only Android samples seem to use the AccountManager.
Is it possible to use the google-api-java-client on the Android
platform to do authentication using OAuth on the Android platform ?
Or do you still need other libraries (such as signpost) to do the
actual OAuth dance, and then pass on the token to the google-api-java-
client to continue making authorized calls ?
Regards,
Davy
I just started looking at the google-api-java-client as I'm interested
in its Android support.
However, despite the fact that the library also supports the OAuth
authentication mechanism, I didn't find any sample that uses OAuth
with google-api-java-client on the Android platform.
There are lots of OAuth examples as standalone applications, and the
only Android samples seem to use the AccountManager.
Is it possible to use the google-api-java-client on the Android
platform to do authentication using OAuth on the Android platform ?
Or do you still need other libraries (such as signpost) to do the
actual OAuth dance, and then pass on the token to the google-api-java-
client to continue making authorized calls ?
Regards,
Davy
Jonathan Foley
Apr 10, 2011, 7:38:51 PM4/10/11
to google-api-...@googlegroups.com
Davy,
In Android 2+ the reccomended route is using AccountManager, its
painless for both the developer and the use otherwise
support is there through methods to generate and sign requests:
Look at:
com.google.api.client.auth.oauth for Oauth 1.0a
and
com.google.api.client.auth.oauth2 for Oauth 2 draft 10
JavaDoc: http://javadoc.google-api-java-client.googlecode.com/hg/1.3.1-alpha/index.html
If you want to use an external library, I'd recommend Scribe:
https://github.com/fernandezpablo85/scribe-java
Signpost is no-longer being actively developed and Scribe has a much
nice API IMO.
Jonathan
Davy
Apr 11, 2011, 8:31:17 AM4/11/11
to google-api-java-client
Jonathan,
Thanks for the info.
Just for my understanding, I had some additional questions
1. If I understand correctly, using the Android AccountManager means
we're effectively using Google's ClientLogin protocol right ?
On http://code.google.com/apis/accounts/docs/GettingStarted.html I was
reading this :
AuthSub and ClientLogin are Google's proprietary authorization APIs,
available as an alternative to OAuth for most Google APIs. If
possible, you should avoid using these services. If you already have
applications that use them, you should migrate to the recommended
options described above.
So, are we saying that on Android we *should* use ClientLogin where
possible, as opposed to OAuth ? Most Google APIs support ClientLogin
as an authentication, but for some (ex: Latitude API), we need to use
OAuth.
2. On the Google APIs page (http://code.google.com/p/google-api-java-
client/wiki/GoogleAPIs#Google_Latitude_API), I noticed that for the
Latitude API, it mentions "Android is not supported for this API".
Why is Android not supported for this API ? This sample could in
theory run just fine on Android no (only the Jetty callback to fetch
the access token would be implemented differently) ?
I looked a bit further and implemented the OAuth flow using google-api-
java-client and it seems to be working fine. (used the Google Buzz
API).
What would prevent me for using the Latitude API in the same way on
the Android platform ?
Regards,
Davy
On Apr 11, 1:38 am, Jonathan Foley <jonefo...@gmail.com> wrote:
> Davy,
>
> In Android 2+ the reccomended route is using AccountManager, its
> painless for both the developer and the use otherwise
> support is there through methods to generate and sign requests:
>
> Look at:
>
> com.google.api.client.auth.oauth for Oauth 1.0a
>
> and
>
> com.google.api.client.auth.oauth2 for Oauth 2 draft 10
>
> JavaDoc:http://javadoc.google-api-java-client.googlecode.com/hg/1.3.1-alpha/i...
Thanks for the info.
Just for my understanding, I had some additional questions
1. If I understand correctly, using the Android AccountManager means
we're effectively using Google's ClientLogin protocol right ?
On http://code.google.com/apis/accounts/docs/GettingStarted.html I was
reading this :
AuthSub and ClientLogin are Google's proprietary authorization APIs,
available as an alternative to OAuth for most Google APIs. If
possible, you should avoid using these services. If you already have
applications that use them, you should migrate to the recommended
options described above.
So, are we saying that on Android we *should* use ClientLogin where
possible, as opposed to OAuth ? Most Google APIs support ClientLogin
as an authentication, but for some (ex: Latitude API), we need to use
OAuth.
2. On the Google APIs page (http://code.google.com/p/google-api-java-
client/wiki/GoogleAPIs#Google_Latitude_API), I noticed that for the
Latitude API, it mentions "Android is not supported for this API".
Why is Android not supported for this API ? This sample could in
theory run just fine on Android no (only the Jetty callback to fetch
the access token would be implemented differently) ?
I looked a bit further and implemented the OAuth flow using google-api-
java-client and it seems to be working fine. (used the Google Buzz
API).
What would prevent me for using the Latitude API in the same way on
the Android platform ?
Regards,
Davy
On Apr 11, 1:38 am, Jonathan Foley <jonefo...@gmail.com> wrote:
> Davy,
>
> In Android 2+ the reccomended route is using AccountManager, its
> painless for both the developer and the use otherwise
> support is there through methods to generate and sign requests:
>
> Look at:
>
> com.google.api.client.auth.oauth for Oauth 1.0a
>
> and
>
> com.google.api.client.auth.oauth2 for Oauth 2 draft 10
>
>
> If you want to use an external library, I'd recommend Scribe:
>
> https://github.com/fernandezpablo85/scribe-java
>
> Signpost is no-longer being actively developed and Scribe has a much
> nice API IMO.
>
> Jonathan
>
> If you want to use an external library, I'd recommend Scribe:
>
> https://github.com/fernandezpablo85/scribe-java
>
> Signpost is no-longer being actively developed and Scribe has a much
> nice API IMO.
>
> Jonathan
>
Jonathan Foley
Apr 11, 2011, 1:56:02 PM4/11/11
to google-api-...@googlegroups.com, Davy
Davy,
Yes, you are correct AccountManager does return a ClientLogin token,
which can't be used with Latitude or other Google APIs specifically
requiring OAuth.
Given the ease of using AccountManager, I would personally use it and
ClientLogin wherever I could. The user is still presented with an
authentication request, but they don't have to sign in via a web
browser and you as the developer don't have to handle the dance.
I think the statement about the Latitude API not working on Android
means that as implemented in the google-api-java-client its not
Android compatible because of some code in the code path that isn't
drawn from an Android library. There is nothing preventing you from
using OAuth and handling all the HTTP exchange your-self.
Jonathan
Davy
Apr 12, 2011, 5:44:11 PM4/12/11
to google-api-java-client
Jonathan,
Thx for the info .... For those interested, I did a writeup of how I
implemented OAuth on Android using the library.
You can find it here : http://blog.doityourselfandroid.com/2011/04/12/oauth-android-google-apis-client-library-java/
For the Latitude API, I did a test and it kinda worked. I got a valid
response from Latitude (response code 200, containing the following
JSON string
{ "data": { "kind": "latitude#location", "timestampMs":
"1302281187688", "latitude": 44.3148443, "longitude": -85.6023643 }}
However, during the parsing, I got an
java.lang.IllegalArgumentException: null.
I've ogged an issue for it : http://code.google.com/p/google-api-java-client/issues/detail?id=172
Thx for the info .... For those interested, I did a writeup of how I
implemented OAuth on Android using the library.
You can find it here : http://blog.doityourselfandroid.com/2011/04/12/oauth-android-google-apis-client-library-java/
For the Latitude API, I did a test and it kinda worked. I got a valid
response from Latitude (response code 200, containing the following
JSON string
{ "data": { "kind": "latitude#location", "timestampMs":
"1302281187688", "latitude": 44.3148443, "longitude": -85.6023643 }}
However, during the parsing, I got an
java.lang.IllegalArgumentException: null.
I've ogged an issue for it : http://code.google.com/p/google-api-java-client/issues/detail?id=172
> Yes, you are correct AccountManager does return a ClientLogin token,
> which can't be used with Latitude or other Google APIs specifically
> requiring OAuth.
>
> Given the ease of using AccountManager, I would personally use it and
> ClientLogin wherever I could. The user is still presented with an
> authentication request, but they don't have to sign in via a web
> browser and you as the developer don't have to handle the dance.
>
> I think the statement about the Latitude API not working on Android
> means that as implemented in the google-api-java-client its not
> Android compatible because of some code in the code path that isn't
> drawn from an Android library. There is nothing preventing you from
> using OAuth and handling all the HTTP exchange your-self.
>
> Jonathan
>
>
>
>
>
>
>
> On Mon, Apr 11, 2011 at 5:31 AM, Davy <ddewa...@gmail.com> wrote:
> > Jonathan,
>
> > Thanks for the info.
>
> > Just for my understanding, I had some additional questions
>
> > 1. If I understand correctly, using the Android AccountManager means
> > we're effectively using Google's ClientLogin protocol right ?
>
> > Onhttp://code.google.com/apis/accounts/docs/GettingStarted.htmlI was
> which can't be used with Latitude or other Google APIs specifically
> requiring OAuth.
>
> Given the ease of using AccountManager, I would personally use it and
> ClientLogin wherever I could. The user is still presented with an
> authentication request, but they don't have to sign in via a web
> browser and you as the developer don't have to handle the dance.
>
> I think the statement about the Latitude API not working on Android
> means that as implemented in the google-api-java-client its not
> Android compatible because of some code in the code path that isn't
> drawn from an Android library. There is nothing preventing you from
> using OAuth and handling all the HTTP exchange your-self.
>
> Jonathan
>
>
>
>
>
>
>
> On Mon, Apr 11, 2011 at 5:31 AM, Davy <ddewa...@gmail.com> wrote:
> > Jonathan,
>
> > Thanks for the info.
>
> > Just for my understanding, I had some additional questions
>
> > 1. If I understand correctly, using the Android AccountManager means
> > we're effectively using Google's ClientLogin protocol right ?
>
Yaniv Inbar (יניב ענבר)
May 9, 2011, 5:30:45 PM5/9/11
to google-api-...@googlegroups.com
Great discussion regarding the use of OAuth on Android.
As I am going to announce tomorrow at Google I/O, you can actually use OAuth now with Google APIs using the AccountManager. It works very similar to ClientLogin. The authTokenType to use for OAuth 1.0 is "oauth:" plus the space-separated OAuth scopes you need. OAuth 2.0 is the same, except use the prefix "oauth2:". Unfortunately, the Authorization UI is not pretty because it displays the OAuth scope instead of a friendly message describing what permission the user is granting the application, but that will eventually be fixed.
I'll write up more details later.
Yaniv Inbar
Senior Software Engineer
Google Inc.
Yaniv Inbar
Senior Software Engineer
Google Inc.
Davy De Waele
May 9, 2011, 5:34:21 PM5/9/11
to google-api-...@googlegroups.com
Great ... Have fun at Google I/O...
Reply all
Reply to author
Forward
0 new messages