Google and OAuth 2.0

Philipp Kewisch mozilla at kewis.ch
Tue Apr 29 18:25:03 UTC 2014


On 4/29/14, 7:01 PM, neandr at gmx.de wrote:
> On 29.04.2014 18:17, Ben Bucksch wrote:
>> neandr at gmx.de wrote, On 28.04.2014 20:10:
>>> Lightning hides that process from the user.
>>> That access key will be used to generate a token to work with your
>>> mail/calendar. That token will expire after a certain time and your
>>> application (mail/calendar) needs to generate a new token. Normally
>>> the user should not notice about that for any session. 
>>
>> Expiry indeed is a core problem. One-time setup - if it's really once
>> and then never again - can be handled differently than something that
>> can up at any random time.
>>
>> How does that process work? All readable documentation I found about
>> OAuth speaks about webpages. That is: not HTTP URLs, but random HTML
>> served by Google, containing arbitrary challenges to the end user
>> (e.g. enter phone number, Google sending a code there, enter that
>> code) that only the allowed human can fulfill.
>>
>> If tokens can expire and be refreshed by Lightning without (!) user
>> interaction, I don't know how that would work. Can you expand, please?
>>
> [...]
>
> Lightning does that first process to get the very first access and
> refresh code a bit more elegant. I think Philipp (Fallen) could give a
> more detailed description here.
>

I think some things have changed, reading the docs there is now also an
token info service that must be called. We don't do this. Anyway, most
of the process we do can be found in
<http://mxr.mozilla.org/comm-central/source/calendar/base/modules/OAuth2.jsm>.
First we get an authorization token, then we can request an access
token. The access token expires in given time (as stated in the
response). When the access token has expired, we can refresh it using
the authorization token without any user interaction. The user must only
enter data when getting the authorization token.

More information on the general process is here:
<https://developers.google.com/accounts/docs/OAuth2>. Here is info
specifically on how it works for client applications
<https://developers.google.com/accounts/docs/OAuth2UserAgent>. Note that
some data needs to be pushed to the source repository. Please make sure
it is properly obfuscated, as seen here
<http://mxr.mozilla.org/comm-central/source/calendar/providers/caldav/calDavCalendar.js#2855>
and add a similar comment.

Philipp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20140429/565e8e16/attachment.html>


More information about the tb-planning mailing list