I thought that it might be a good idea to update the existing GWT-OAuth2 project from 2011. I know that I have certainly needed a reliable framework for just about all of my projects, and unfortunately the old one is too out of date for my use cases. Let me know what you think and contributions are definitely welcome. Ideally, with the help of the community, we can create a truly robust GWT module.Just to give you a quick summary, I have done the following:- Added authorization code flow with refresh tokens and JSON Web Tokens
- Added support for Cordova
- Hopefully made it a little easier to navigate- Started to implement JsInterop- Google Provider support
- Some Facebook provider supportWhat would be nice:- To make sure it is truly secure and robust through your contributions and discussion
--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/I4gXb4QLWtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-tool...@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/I4gXb4QLWtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-tool...@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
After reading some of the docs further, I think some of the confusion stemmed from how Google describes that an Installed App can execute a Authorization Code Flow (https://developers.google.com/identity/protocols/OAuth2).
In this case, the doc suggests that the “process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)…The application should store the refresh token for future use and use the access token to access a Google API. Once the access token expires, the application uses the refresh token to obtain a new one.”
One could draw many similarities between a GWT app and native app. The question I have is why is a native App allowed to store this “sensitive” data and not a GWT application.
Are we presuming that a binary, which can be decompiled and is in the user’s control, provides such a greater amount of security of secrets over HTML 5 web storage that it is okay to store sensitive tokens in a native app but not in a GWT app, especially when it just takes one curious user to find the same client_secret stored in all other native app installs?
--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/I4gXb4QLWtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-tool...@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Have a look at the definition of both types of clients in RFC 6749.
It amounts to knowledge by the AS whether this is a confidential or public client. When registering a native app, Google knows that it can only be a public app. When registering a web app, they can assume this will be a confidential client and expect you to keep the secret, well, secret. The AS (Google) can then have different policies regarding what scopes they allow, or how they present the consent screen and admin panel, depending on the type of client.
Have a look at the definition of both types of clients in RFC 6749.
--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/I4gXb4QLWtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-tool...@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.