46

I am planning to create an app that uses JavaScript and it needs to use OAuth to authenticate user for a website. Can anyone help me out please? Any sample code? I know about the Google Code Javascript OAuth library but I am not sure how to implement that..

Improve this question
0

4 Answers 4

Reset to default
50

There is a JS client implementation for OAuth here: https://developers.google.com/identity/protocols/OAuth2UserAgent

It contains example code to get you running. Basically, what you do is this:

var url = "...";
var accessor = {
  token: "...",
  tokenSecret: "...",
  consumerKey : "...",
  consumerSecret: "..."
};

var message = {
  action: url,
  method: "GET",
  parameters: {...}
};

OAuth.completeRequest(message, accessor);        
OAuth.SignatureMethod.sign(message, accessor);
url = url + '?' + OAuth.formEncode(message.parameters);

// send request to 'url'
...

Cheers, Matthias

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

I think tokenSecret and consumerSekret parameters are supposed to be secret! How could they remain secret when downloaded to browser?!!!
By using SSL, for instance. But, yes, OAuth in a browser environment is certainly suspect to security problems.
1.0(a). You make a good point though. If you have control over the service provider, too, I would suggest to opt for OAuth 2, since it simplifies many of the things that developers and protocol implementors struggle with.
Even if you use SSL, what is difference? Man who made SSL request and saved response to hard drive can read everything easily. And for public applications anyone can make such request. It is completely insecure to use secret variables in JavaScript.
Why is it? Why is the 'secret' a secret from the user. It is no different from the session_id which is stored in a cookie. Just because it is named 'secret' does not make it a secret from everyone.
|
11

The mentioned security problems can be solved via YQL: http://derek.io/blog/2010/how-to-secure-oauth-in-javascript/

Improve this answer

1 Comment

At least to some extent. But then you rely on someone else's backend technology instead of your own or none - which was the original goal.
3

I've written a generic OAuth 2.0 javascript library.

Improve this answer

1 Comment

can you post an example of how to authenticate to a custom Google App Engine application? I have been struggling with this for 2 days now. Your library doesn't seem to support the 3 callback urls, OAuthGetRequestToken, OAuthAuthorizeToken and 'OAuthGetAccessToken`?
0

If you're writing a Firefox (or other Mozilla) addon, consider oauthorizer. I'm using this for the latest version of goo.gl lite. However, I did hit some issues getting this approved for the Mozilla Add-Ons site, which I'm currently working through.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.