[powershop-developers] OAuth sample app using GData and App Engine

71 views
Skip to first unread message

ziglionz

unread,
May 18, 2010, 7:29:37 AM5/18/10
to Powershop Developers
Hi everyone,

I've been playing a bit with Google's App Engine and their Java GData
Apis.
Have modified an example using OAuth in order to use the Powershop
API.
You can try the app: http://powershop.emanueleziglioli.it/ using your
own key or my one (default).
Just fetching consumer.js for now.

Cheers,
Emanuele

--
You received this message because you are subscribed to the Google Groups "Powershop Developers" group.
To post to this group, send email to powershop-...@googlegroups.com.
To unsubscribe from this group, send email to powershop-develo...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/powershop-developers?hl=en.

Ari Sargent

unread,
May 18, 2010, 6:10:17 PM5/18/10
to Powershop Developers
Nice. I'm not that familiar with the Google App Engine, but if you
have any code you'd like to share I'd be happy to put it up here.

On May 18, 11:29 pm, ziglionz <zigli...@gmail.com> wrote:
> Hi everyone,
>
> I've been playing a bit with Google's App Engine and their Java GData
> Apis.
> Have modified an example using OAuth in order to use the Powershop
> API.
> You can try the app:http://powershop.emanueleziglioli.it/using your

ziglionz

unread,
May 19, 2010, 3:48:11 AM5/19/10
to Powershop Developers
Sure, when it looks a bit more like my code and a bit less like
Google's code :-)

Next I'd like to experiment with Gmail and Facebook integration.
One question: if you authorize a third party application, how long is
the token going to last for?
Are those applications meant to store it somehow?

Roger Nesbitt

unread,
May 19, 2010, 4:49:27 AM5/19/10
to powershop-...@googlegroups.com
The OAuth access token does not expire. So yes, it's meant to be stored somewhere and can be reused. The user can revoke the access token from the "3rd party applications" tab in Powershop, so you'd have to do some error checking each time you use the token to check that this has not happened.

Roger

On 19 May 2010, at 19:48, ziglionz wrote:

> Sure, when it looks a bit more like my code and a bit less like
> Google's code :-)
>
> Next I'd like to experiment with Gmail and Facebook integration.
> One question: if you authorize a third party application, how long is
> the token going to last for?
> Are those applications meant to store it somehow?
>
> On May 19, 10:10 am, Ari Sargent <ari.sarg...@powershop.co.nz> wrote:
>> Nice. I'm not that familiar with the Google App Engine, but if you
>> have any code you'd like to share I'd be happy to put it up here.

ziglionz

unread,
May 19, 2010, 6:11:22 AM5/19/10
to Powershop Developers
thanks, there must be a way though to identify each user within the
3rd party application in the first place so the right token can be
picked.
But I don't really want to create an extra login in my app.
I guess with Google Apps you send a request to the app from within
gmail with your google username and the 3rd party app uses that to
retrieve token.
The same thing must happen with facebook, once you've authorized an
application you connect to the app from within facebook using your id.
Possibly a permanent cookie could do the trick? still, that's probably
not safe. Having an authorized token hanging around would be just like
giving away your password.

On May 19, 8:49 pm, Roger Nesbitt <ro...@youdo.co.nz> wrote:
> The OAuth access token does not expire.  So yes, it's meant to be stored somewhere and can be reused.  The user can revoke the access token from the "3rd party applications" tab in Powershop, so you'd have to do some error checking each time you use the token to check that this has not happened.

Felix

unread,
May 19, 2010, 5:12:32 PM5/19/10
to Powershop Developers


On May 19, 10:11 pm, ziglionz <zigli...@gmail.com> wrote:
> Possibly a permanent cookie could do the trick? still, that's probably
> not safe. Having an authorized token hanging around would be just like
> giving away your password.
You could use cookie to identify the user but store the token on the
server?

Tim Wright

unread,
May 20, 2010, 12:17:12 AM5/20/10
to Felix, Powershop Developers
A different slant on this is:

How will your users feel giving access to their private data (ie:
powershop data) to an application (your application) that they don't
have to log in to. Will that provide them with confidence in your
security?

Tim
--
Tim
http://nz.linkedin.com/in/drtimwright

ziglionz

unread,
May 20, 2010, 6:06:28 PM5/20/10
to Powershop Developers
Sure, a login is necessary. Initially I thought I could rely on
Powershop but that's just to authorize the application.
Now I'm looking at OAuth/OpenID in Google Apps and at Facebook Connect
to that I don't have to implement my own mechanism.
I could just use just basic auth over SSL but it'd be one more set of
credentials for the user to remember

On May 20, 4:17 pm, Tim Wright <drtimwri...@gmail.com> wrote:
> A different slant on this is:
>
> How will your users feel giving access to their private data (ie:
> powershop data) to an application (your application) that they don't
> have to log in to. Will that provide them with confidence in your
> security?
>
> Tim

Roger Nesbitt

unread,
May 20, 2010, 6:09:09 PM5/20/10
to powershop-...@googlegroups.com
How about storing the access token in a session cookie, and getting the user to re-authenticate with Powershop every session?

Roger

ziglionz

unread,
May 21, 2010, 6:03:23 AM5/21/10
to Powershop Developers
yes, that sounds good too

On May 21, 10:09 am, Roger Nesbitt <ro...@youdo.co.nz> wrote:
> How about storing the access token in a session cookie, and getting the user to re-authenticate with Powershop every session?
>
> Roger
>
> On 21 May 2010, at 10:06, ziglionz wrote:
>
>
>
>
>
> > Sure, a login is necessary. Initially I thought I could rely on
> > Powershop but that's just to authorize the application.
> > Now I'm looking at OAuth/OpenID in Google Apps and at Facebook Connect
> > to that I don't have to implement my own mechanism.
> > I could just use just basic auth over SSL but it'd be one more set of
> > credentials for the user to remember
>
> > On May 20, 4:17 pm, Tim Wright <drtimwri...@gmail.com> wrote:
> >> A different slant on this is:
>
> >> How will your users feel giving access to their private data (ie:
> >> powershop data) to an application (your application) that they don't
> >> have to log in to. Will that provide them with confidence in your
> >> security?
>
> >> Tim
>
> > --
> > You received this message because you are subscribed to the Google Groups "Powershop Developers" group.
> > To post to this group, send email to powershop-...@googlegroups.com.
> > To unsubscribe from this group, send email to powershop-develo...@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/powershop-developers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups "Powershop Developers" group.
> To post to this group, send email to powershop-...@googlegroups.com.
> To unsubscribe from this group, send email to powershop-develo...@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/powershop-developers?hl=en.
Reply all
Reply to author
Forward
0 new messages