Validating Friend Connect Login Using Perl OAuth
48 views
Skip to first unread message
Artopium Mike
Apr 13, 2011, 12:57:30 PM4/13/11
to Google Friend Connect Developer Forum
I am attempting to <a href="http://code.google.com/apis/friendconnect/
docs/integration.html#design-integrating">"integrate Friend Connect
with my existing site"</a> by using 3 legged OAuth using the Perl
client library Net::OAuth. It seems this is apparently impossible
although at the very end of the article <a href="https://
sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi?
AuthEventSource=SSO">"Google's Internet Identity Research"</a> it
implies that I can. I would simply like to use the Friend Connect
login button to verify a returning user to my website (and allow them
access to their account on my servers). After implementing the
javascript API I quickly realized the security vulnerability of
allowing javascript to hand my perl scripts "validation of
authorization" (as described in this <a href="http://yz.mit.edu/wp/
making-sense-of-openid-oauth-opensocial-google-friend-connect-facebook-
connect-and-more/">article</a>) and so I've been on a hunt for a way
to validate whether a google friend connect user has logged in or not
via perl ever since. I have found code that works for <a href="http://
blog.case.edu/jeremy.smith/2009/03/30/
using_2legged_oauth_with_google_apps_in_perl">2 legged OAuth</a>, as
well as <a href="http://www.commonmap.info/w/index.php/
Oauth_perl_examples">3 legged</a>. The 2 legged OAuth works just fine
except that by design I can call user data even when they are not
logged in so this is useless to me if I want to know their login state
(right?). So apparently 3 legged is my only choice as I will know the
user is truly validated when I get that access token. However, when I
use the 3 legged OAuth code I get an 400 "Invalid Scope" error when
trying to request a token. After doing some research I found the
article <a href="http://code.google.com/apis/gdata/docs/auth/
oauth.html#Scope">"OAuth in the Google Data Protocol Client
Libraries"</a> which defines "scope" (a google invention), and kindly
leads me to the <a href="http://code.google.com/apis/gdata/
faq.html#AuthScopes">"Google Data Protocol FAQ"</a> which lists all of
the available scope urls. I quickly notice friend connect is not
listed. Is this intentional? In any case this is my current "dead
end", not to mention I'm still not sure if 3 legged OAuth is the best
method for me. Any advice out there?
docs/integration.html#design-integrating">"integrate Friend Connect
with my existing site"</a> by using 3 legged OAuth using the Perl
client library Net::OAuth. It seems this is apparently impossible
although at the very end of the article <a href="https://
sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi?
AuthEventSource=SSO">"Google's Internet Identity Research"</a> it
implies that I can. I would simply like to use the Friend Connect
login button to verify a returning user to my website (and allow them
access to their account on my servers). After implementing the
javascript API I quickly realized the security vulnerability of
allowing javascript to hand my perl scripts "validation of
authorization" (as described in this <a href="http://yz.mit.edu/wp/
making-sense-of-openid-oauth-opensocial-google-friend-connect-facebook-
connect-and-more/">article</a>) and so I've been on a hunt for a way
to validate whether a google friend connect user has logged in or not
via perl ever since. I have found code that works for <a href="http://
blog.case.edu/jeremy.smith/2009/03/30/
using_2legged_oauth_with_google_apps_in_perl">2 legged OAuth</a>, as
well as <a href="http://www.commonmap.info/w/index.php/
Oauth_perl_examples">3 legged</a>. The 2 legged OAuth works just fine
except that by design I can call user data even when they are not
logged in so this is useless to me if I want to know their login state
(right?). So apparently 3 legged is my only choice as I will know the
user is truly validated when I get that access token. However, when I
use the 3 legged OAuth code I get an 400 "Invalid Scope" error when
trying to request a token. After doing some research I found the
article <a href="http://code.google.com/apis/gdata/docs/auth/
oauth.html#Scope">"OAuth in the Google Data Protocol Client
Libraries"</a> which defines "scope" (a google invention), and kindly
leads me to the <a href="http://code.google.com/apis/gdata/
faq.html#AuthScopes">"Google Data Protocol FAQ"</a> which lists all of
the available scope urls. I quickly notice friend connect is not
listed. Is this intentional? In any case this is my current "dead
end", not to mention I'm still not sure if 3 legged OAuth is the best
method for me. Any advice out there?
Bob Aman
Apr 13, 2011, 1:38:47 PM4/13/11
to google-friend-co...@googlegroups.com
Why do you want to use GFC for this? It sounds like the Google
Accounts API would be a much better fit. Both OpenID and the
OpenID+OAuth hybrid will handle your use-case, whereas GFC is really
more of a gadget-focussed technology.
Accounts API would be a much better fit. Both OpenID and the
OpenID+OAuth hybrid will handle your use-case, whereas GFC is really
more of a gadget-focussed technology.
Artopium Mike
Apr 13, 2011, 3:21:39 PM4/13/11
to Google Friend Connect Developer Forum
Bob, will I get all the same social data using Google Accounts API as
in friend connect? Will I get friends list? Activity Stream? I can
post to the activity stream and add new friends? I can't seem to find
that info. Can you direct me to an article on Google Accounts API.
Thank you for your help!
in friend connect? Will I get friends list? Activity Stream? I can
post to the activity stream and add new friends? I can't seem to find
that info. Can you direct me to an article on Google Accounts API.
Thank you for your help!
Bob Aman
Apr 13, 2011, 3:24:46 PM4/13/11
to google-friend-co...@googlegroups.com
> Bob, will I get all the same social data using Google Accounts API as
> in friend connect? Will I get friends list? Activity Stream? I can
> post to the activity stream and add new friends? I can't seem to find
> that info. Can you direct me to an article on Google Accounts API.
> Thank you for your help!
> in friend connect? Will I get friends list? Activity Stream? I can
> post to the activity stream and add new friends? I can't seem to find
> that info. Can you direct me to an article on Google Accounts API.
> Thank you for your help!
You can do many of those things via the Buzz API, but it's a
completely different beast from GFC. Unlike GFC, it has a scope you
can authorize.
Artopium Mike
Apr 13, 2011, 8:25:50 PM4/13/11
to Google Friend Connect Developer Forum
Well, I appreciate your advice, Bob, but I'm not sure the Buzz API is
for me. It seems more tailored for websites with data streams. I was
interested in Friend Connect because the login included Yahoo, AIM and
Twitter as well. GFC also would enable my site to "become" a social
networking site by allowing friend requests between GFC-enabled users
to "friend" each other and post comments on each others profiles. The
problem remains that when a user of my website signs up using GFC,
then returns to sign in with the same button, I would like more
validation then a GFC ID. The fcauth cookie also doesn't give me
accurate login state information, not only because a cookie can easily
be spoofed, but because the fcauth call continues to give me account
data even after the user has logged off. If only there were some call
I could make to Google that would simply tell me if the user who has
just signed into GFC is indeed who they say they are and that yes,
they are logged in, or no, they have just logged out. Seems like it
would be possible using Perl. I'm surprised that it isn't.
I looked at the list of possible scope urls again and didn't see
"Google Accounts" and "Google Buzz" but I did find the Buzz API docs
here:
http://code.google.com/apis/buzz/
I didn't find anything for "Google Accounts API" but I did search
Google Code for that phrase and found the article "Federated Login for
Google Account Users", which I've already read, and is almost exactly
what I'm looking for, however, I wasn't sure if I had to use OpenID
+OAuth or if I could just use OAuth, and I'm not even sure what
information I'm gaining access to because nowhere does it say what
account or type of account I'm logging into (or did I miss that?).
It seems more and more that OpenID is what I'm looking for, to gain
access to this Federated Login, but will that get me into GFC, or
Gmail, or Blogger, or what? Do I really need to go to OpenID? Why
isn't there a scope url of Google Friend Connect? Does it have
something to do with this other article I found on Google Code?:
"OAuth security vulnerability discovered"
http://groups.google.com/group/Google-Accounts-API/browse_thread/thread/a2a8a481bbb521b8
for me. It seems more tailored for websites with data streams. I was
interested in Friend Connect because the login included Yahoo, AIM and
Twitter as well. GFC also would enable my site to "become" a social
networking site by allowing friend requests between GFC-enabled users
to "friend" each other and post comments on each others profiles. The
problem remains that when a user of my website signs up using GFC,
then returns to sign in with the same button, I would like more
validation then a GFC ID. The fcauth cookie also doesn't give me
accurate login state information, not only because a cookie can easily
be spoofed, but because the fcauth call continues to give me account
data even after the user has logged off. If only there were some call
I could make to Google that would simply tell me if the user who has
just signed into GFC is indeed who they say they are and that yes,
they are logged in, or no, they have just logged out. Seems like it
would be possible using Perl. I'm surprised that it isn't.
I looked at the list of possible scope urls again and didn't see
"Google Accounts" and "Google Buzz" but I did find the Buzz API docs
here:
http://code.google.com/apis/buzz/
I didn't find anything for "Google Accounts API" but I did search
Google Code for that phrase and found the article "Federated Login for
Google Account Users", which I've already read, and is almost exactly
what I'm looking for, however, I wasn't sure if I had to use OpenID
+OAuth or if I could just use OAuth, and I'm not even sure what
information I'm gaining access to because nowhere does it say what
account or type of account I'm logging into (or did I miss that?).
It seems more and more that OpenID is what I'm looking for, to gain
access to this Federated Login, but will that get me into GFC, or
Gmail, or Blogger, or what? Do I really need to go to OpenID? Why
isn't there a scope url of Google Friend Connect? Does it have
something to do with this other article I found on Google Code?:
"OAuth security vulnerability discovered"
http://groups.google.com/group/Google-Accounts-API/browse_thread/thread/a2a8a481bbb521b8
Bob Aman
Apr 13, 2011, 8:51:16 PM4/13/11
to google-friend-co...@googlegroups.com
> Well, I appreciate your advice, Bob, but I'm not sure the Buzz API is
> for me. It seems more tailored for websites with data streams. I was
> interested in Friend Connect because the login included Yahoo, AIM and
> Twitter as well. GFC also would enable my site to "become" a social
> networking site by allowing friend requests between GFC-enabled users
> to "friend" each other and post comments on each others profiles. The
> problem remains that when a user of my website signs up using GFC,
> then returns to sign in with the same button, I would like more
> validation then a GFC ID. The fcauth cookie also doesn't give me
> accurate login state information, not only because a cookie can easily
> be spoofed, but because the fcauth call continues to give me account
> data even after the user has logged off. If only there were some call
> I could make to Google that would simply tell me if the user who has
> just signed into GFC is indeed who they say they are and that yes,
> they are logged in, or no, they have just logged out. Seems like it
> would be possible using Perl. I'm surprised that it isn't.
> for me. It seems more tailored for websites with data streams. I was
> interested in Friend Connect because the login included Yahoo, AIM and
> Twitter as well. GFC also would enable my site to "become" a social
> networking site by allowing friend requests between GFC-enabled users
> to "friend" each other and post comments on each others profiles. The
> problem remains that when a user of my website signs up using GFC,
> then returns to sign in with the same button, I would like more
> validation then a GFC ID. The fcauth cookie also doesn't give me
> accurate login state information, not only because a cookie can easily
> be spoofed, but because the fcauth call continues to give me account
> data even after the user has logged off. If only there were some call
> I could make to Google that would simply tell me if the user who has
> just signed into GFC is indeed who they say they are and that yes,
> they are logged in, or no, they have just logged out. Seems like it
> would be possible using Perl. I'm surprised that it isn't.
Hmm, well that *is* what GFC is for, but GFC auth has some caveats
which you've run into. With fcauth, you know the user is who they say
they are (after you make an API call). If you need log-out state, the
best you can do is to build a javascript logout hook that XHRs back to
your server. The XHR should also have the fcauth cookie that would
allow you to verify the logout action as well. But there's nothing
built-in that will do that entire sequence for you.
Reply all
Reply to author
Forward
0 new messages