CORS/postMessage support when using OAuth 2.0?

[Michael Bolin]

The documentation on OAuth 2.0 for client-side web applications explains how to get an access token in the client side of a web application, but provides no example of how to use it. Specifically, the example uses curl, which is not something a developer can call in JavaScript from a web browser.

That is, unless Cross-Origin Resource Sharing (CORS) is supported for all of the URLs from which Google Data may be requested. (Last I checked, there were quite a few: http://code.google.com/apis/gdata/faq.html#AuthScopes.)

Nevertheless, if CORS (or post-message with an iframe for each domain in the aforementioned AuthScopes list) can be used with an OAuth 2.0 token, then there should be an example of that in your document. Notably missing from the list of client libraries is a JavaScript client library, so there is no sample code to look at.

Finally, if it turns out that CORS is supported, could you clarify whether it can be used with an OAuth 2.0 access token that was acquired using OAuth 2.0 for server-side web applications? I can't imagine any reason why it would not work, but stranger things have happened. Specifically, I believe that I would like to request "offline" access and store my short-lived auth token (and long-lived refresh token) on the server, but then send the most recent short-lived auth token down to the client when the user logs in. That way, all subsequent requests to Google from the client are made directly to Google using CORS rather than through a proxy on my server.

Thank you,

Michael