Google and OAuth 2.0

neandr at neandr at
Tue Apr 29 17:01:44 UTC 2014

On 29.04.2014 18:17, Ben Bucksch wrote:
> neandr at wrote, On 28.04.2014 20:10:
>> Lightning hides that process from the user.
>> That access key will be used to generate a token to work with your 
>> mail/calendar. That token will expire after a certain time and your 
>> application (mail/calendar) needs to generate a new token. Normally 
>> the user should not notice about that for any session. 
> Expiry indeed is a core problem. One-time setup - if it's really once 
> and then never again - can be handled differently than something that 
> can up at any random time.
> How does that process work? All readable documentation I found about 
> OAuth speaks about webpages. That is: not HTTP URLs, but random HTML 
> served by Google, containing arbitrary challenges to the end user 
> (e.g. enter phone number, Google sending a code there, enter that 
> code) that only the allowed human can fulfill.
> If tokens can expire and be refreshed by Lightning without (!) user 
> interaction, I don't know how that would work. Can you expand, please?
Here is a description with Reminderfox to configure GCal for Remote 
Calendar usage:
Our implementation briefly described:
-- selecting GCal OAuth2 as the authorization methode for the Gcal (yes, 
the old method also works!), you enter your Goodle account name (or 
select it from dropdown) and request access .. which sends the 
Reminderfox secret deatils
-- Google answers on a web page to indicate an application (Reminderfox) 
asks for access. The user has to acknowledge it and gets back a code. 
That has to be copied and the user switch back to Reminderfox to [Paste] 
it into our extension dialog. That action -- in the background gets the 
access and the refresh code which are stored to the PW manager -- and 
finally offers the available calendar for that user.
-- after selecting the right calendar you can go with it.
-- normally if the token/access code expires we refresh it 
transparently, so no user action is required.
-- in rare case that process fails, but Reminderfox offers a [Refresh 
the token]. That's an action **without** using a separate web page, just 
normal http calls.

Note: the process is the same for Thunderbird/Seamonkey and Firefox

Lightning does that first process to get the very first access and 
refresh code a bit more elegant. I think Philipp (Fallen) could give a 
more detailed description here.


More information about the tb-planning mailing list