AuthSubRequestJS causing problems

91 views
Skip to first unread message

ankit

unread,
Aug 7, 2009, 4:39:57 PM8/7/09
to Google Data Protocol
I am using the JavaScript Client library to authenticate using AuthSub
and get data from the user's google calenders. Until now, my
application was running properly and was getting authenticated.

Only recently I discovered that AuthSub doesn't seem to be returning a
proper token value and the application keeps redirecting to the "Grant
access" page, back and forth.

The AuthSub request sent is:
https://www.google.com/accounts/AuthSubRequestJS?session=1&scope=http%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds&next=http%3A%2F%2Fankitahuja.com%2Fapps%2Fproxycal%2Fproxycal.php&hd=default

The Response is: http://ankitahuja.com/apps/proxycal/proxycal.php#2%2Fc3Sq3h6N-jO6EgW6gDSN4oPiAJ-trg6WyvhPNYlGy_A

Here is the application URL: http://ankitahuja.com/apps/proxycal

I'm really hoping that you can let me know what I'm doing wrong here.

Here is the bit of code I'm using for AuthSub authentication in my
JavaScript:

http://www.pastie.org/575969

Thank you!

Bobby

unread,
Aug 10, 2009, 2:54:33 PM8/10/09
to Google Data Protocol
Ankit, what browser are you seeing this issue for? I haven't been able
to have AuthSub authentication work properly in IE either (with the JS
API).

I've actually tried "forcing" a GData session cookie obtained from
FireFox into IE and it works fine so it seems to me that the mechanism
which picks up the token from the URL and sets the session cookie has
some issues in IE.

Bobby

On Aug 7, 4:39 pm, ankit <ahuja.an...@gmail.com> wrote:
> I am using the JavaScript Client library to authenticate using AuthSub
> and get data from the user's google calenders. Until now, my
> application was running properly and was getting authenticated.
>
> Only recently I discovered that AuthSub doesn't seem to be returning a
> proper token value and the application keeps redirecting to the "Grant
> access" page, back and forth.
>
> The AuthSub request sent is:https://www.google.com/accounts/AuthSubRequestJS?session=1&scope=http...
>
> The Response is:http://ankitahuja.com/apps/proxycal/proxycal.php#2%2Fc3Sq3h6N-jO6EgW6...

Bobby

unread,
Aug 13, 2009, 5:10:55 AM8/13/09
to Google Data Protocol
I'm seeing two distinct authentication issues in IE 6 and 7. The first
has to do with IE security settings - for example by adding the site
to "Trusted Sites" and setting the Security Level for Trusted Sites to
"Low" the authentication succeeds, otherwise a JS "Permission Denied"
exception is thrown (i couldn't find exactly what causes the
permission denied, usually this is caused by a cross-domain Ajax
request or IFrame manipulation, but i couldn't confirm which in
FireBug/Fiddler).

The other issue that i saw was within a GWT app and may have to do
with the GWT History support (since the initial AuthSub token is
returned after a "#"), but it could also be something in the way the
GWT app is structured so i have to confirm.

I don't see either of these problems in FireFox. The IE security issue
is kind of a pain since for the majority of sites and users, IE won't
be configured to allow AuthSub to succeed.

Bobby

Bobby

unread,
Aug 13, 2009, 8:23:08 PM8/13/09
to Google Data Protocol
The IE+GWT issue that i'm seeing is the following. If the google.load
("gdata", "1.10"); call is asynchronous - meaning after the page has
finished loading, such as within onModuleLoad() - then the AuthSub
process doesn't succeed.

Bobby

Bobby

unread,
Aug 16, 2009, 4:05:16 AM8/16/09
to Google Data Protocol
I was able to narrow down this supposedly IE+GWT issue with AuthSub
JS. It's actually not related to GWT. In the JS API, when calling
google.load("gdata", "1.10", callback) with a callback, in IE, authsub
doesn't complete - it never consumes the token in the URL.

This happens only when a callback is passed to google.load. The
behavior is the following.
1. Page calls google.accounts.user.login(myScope);
2. Browser is redirected to the Google authorization page.
3. User clicks to authorize.
4. Browser is redirected back to original page, with the token
appended to the URL.
5. In IE nothing happens. In FF the page will store the token in a
cookie and refresh to remove the token from the URL.

Also, curiously, at step 5, if we repeat steps 1 and 2, but at step 3
instead click the browser's back button, upon returning to the page,
the token is successfully consumed. Sounds like since the back button
will cause the page to be loaded from cache, google.load is available
immediately and AuthSub succeeds, which suggests that the fact that
google.load is asynchronous (when a callback is specified) and has a
slight delay, interferes with the AuthSub process.

I don't mind adding this to the issue tracker but i'm not sure where
the best place is to do that.

Thanks
Bobby
Reply all
Reply to author
Forward
0 new messages