My favorites | English | Sign in

Faster JavaScript with Closure Tools New!

Accounts APIs

OAuth for Web Applications


Google supports the OAuth protocol for authorizing web applications accessing their users' Google services. This page describes Google's implementation of OAuth with instructions on how to use it. For more information on the OAuth standard, see the OAuth.net documentation. Applications making OAuth requests to Google can be either registered or unregistered, but must sign all requests.

Google now supports a hybrid protocol, combining Federated Login with OAuth (OpenID+OAuth). Many third-party sites enable OpenID to let their users log in with their Google account information (freeing the third-party developer from having to manage login security). OpenID+OAuth combines the two authorization processes, minimizing the round-trip communication required for authorization—and, equally important, simplifying the process for users by giving them one confirmation page instead of two.

See also the Google Accounts API Group for discussion on using the Accounts API. For information on Google's other account authorization solutions, see the Getting Started guide.

Audience

This document is written for web application developers who want to access their users' Google services using the OAuth protocol. It assumes you've read up on the service(s) being accessed and are aware of any access authorization issues involved. You need to know some service-specific details when using Google's authorization proxy service. This document also assumes you have a basic familiarity with OAuth.

Contents

  1. The OAuth authorization process for Web Apps
    1. Tokens and token management
    2. Registration
  2. Working with OAuth
    1. Setting up OAuth authorization
    2. Migrating from AuthSub to OAuth
    3. Signing requests
    4. Testing and debugging OAuth requests
    5. Revoking an OAuth access token
  3. OAuth for Google Apps domain administrators
    1. Enabling 2-legged OAuth on your hosted domain
  4. OAuth reference: endpoints
    1. OAuthGetRequestToken
    2. OAuthAuthorizeToken
    3. OAuthGetAccessToken

The OAuth authorization process for web apps

OAuth authorization for web applications involves a sequence of interactions between your web application, Google services, and the end user. This diagram illustrates the sequence:

Authentication process

  1. The web application contacts the Google Authorization service, asking for a request token for one or more Google service.
  2. Google responds with an unauthorized request token.
  3. The web application directs the end user to a Google authorization page, referencing the request token.
  4. On the Google authorization page, the user is prompted to log into their account (for verification) and then either grant or deny limited access to their Google service data by the web application.
  5. The user decides whether to grant or deny access to the web application. If the user denies access, they are directed to a Google page and not back to the web application.
  6. If the user grants access, the Authorization service redirects the user back to a page designated with the web application was registered with Google. The redirect includes the now authorized request token.
  7. The web application sends a request to the Google Authorization service to exchange the authorized request token for an access token.
  8. Google verifies the request and returns a valid access token.
  9. The web application sends a request to the Google service in question. The request is signed and includes the access token.
  10. If the Google service recognizes the token, it supplies the requested data.

Tokens and token management

With OAuth, there are two types of tokens used: request tokens and access tokens. Request tokens are used to verify Google registration and get end user authorization, after which they can be exchanged for an access token. Access tokens are used to request user data from the Google service(s) covered by the token.

The request token exists in one of two states: unauthorized and authorized. Initially, Google issues an unauthorized request token. Once the end user logs in and grants access to the third-party web application, the request token is authorized. Only authorized tokens can be exchanged for an access token. Request token are valid for one hour only, and can be exchanged only once.

Each OAuth access token is specific to one user account and covers the Google services specified in the original request for authorization. Access tokens are by default long-lived, and can be used any time the web application needs to access a covered service for that user's data.

The web application must have a mechanism to store access tokens for future use. For other token management options, see Working With OAuth Authorization.

Registration

If you're using OAuth, you can opt to register your web application with Google and provide enhanced security for your users by creating a security certificate. Although most Google services allow access to unregistered applications, some require more secure access. For more information on the registration process, see Registration for Web Applications.

Working with OAuth for web applications

This section covers topics relevant to using Google's Authorization service with OAuth.

Setting up OAuth authorization

These tasks must be done when setting up your web application to use the Google Authorization service with OAuth:

  • Decide whether or not to register your web application.

    If you choose to register, use the automated registration page to register your web application with Google. At some point you will need to decide which signature method will be used to sign requests. If using the RSA-SHA1 signature method, you need to upload a security certificate as part of the registration process. For the HMAC-SHA1, no certificate is required; instead an OAuth "consumer secret" value is generated and displayed on your domain's registration page after you have registered.

  • Set up a mechanism to manage OAuth tokens.

    An OAuth access token acquired from Google is intended to be used for all future interactions with the specified Google service for that user. Your web application will need to manage token storage, including tracking the user and Google service the token is valid for. Google Accounts is not set up to manage large numbers of tokens, and in fact does not allow more than ten valid tokens (per user, per web application) to be outstanding at any one time. This limitation allows a web application to get multiple tokens to cover different services, if necessary, but does not support getting a new token each time the web application needs to access a Google service. Tokens should be treated as securely as any other sensitive information stored on the server.

  • Determine the scope required by the Google service to be accessed.

    Each Google service determines how much and what type of access it will allow. This access is expressed as a scope value. A service's scope may be a simple URL identifying the entire service, or it may specify more restricted access. Some services severely limit access, such as allowing read-only access to limited information. To get the allowed scopes for the Google service you want to access, refer to the documentation for that service. You should request the broadest scoped token possible. For example, if attempting to access a Google Calendar feed, use the scope "http://www.google.com/calendar/feeds/", instead of "http://www.google.com/calendar/feeds/default/allcalendars/full". Using the latter limits access to the all calendars feed, whereas the first scope grants access to all of Calendar's feeds.

  • Set up a mechanism to request and receive OAuth tokens.

    The mechanism must generate well-formed, signed token request calls and handle the responses for the following sequence:

    1. Get a request token (OAuthGetRequestToken)
    2. Get the request token authorized (OAuthAuthorizeToken)
    3. Exchange the authorized request token for an access token (OAuthGetAccessToken)

    Managing Tokens. Because OAuth tokens are specific to a user, your application must be able to associate a token with its user. The preferred option is to issue a cookie to the user before making the token request. Then, when Google redirects the user back to your site with an appended token, your application can read the cookie and associate the token with the correct user identification.

    Using query parameters in a callback URL. If you specify an oauth_callback value on an OAuthGetRequestToken request, the mechanism should be equipped to parse the redirect from Google, which contains the authorized request token, and take action with it. The callback URL can include query parameters. For example, when supporting multiple languages, include a query parameter that identifies the version of the web application the user is viewing. An oauth_callback value of "http://www.yoursite.com/Retrievetoken?Lang=de would result in the redirect "http://www.yoursite.com/Retrievetoken?Lang=de&oauth_token=DQAADKEDE". Parsing the token and the language parameter ensures that the user is redirected back to the correct version of the site.

    Specifying an account domain. If your application is designed for users on a particular Google hosted domain, consider using the hd parameter when authorizing a token. For more information on the hd parameter, see Handling Users with Multiple Accounts.

    Signing requests. With OAuth, all requests to Google must be signed. For information on signing requests with registered or unregistered applications, see Signing OAuth Requests.

    Identifying your application to users. Google normally displays the name of an application when requesting access consent from the user (see example). With registered applications, this identifier is specified during registration. If your application is registered, do not set the OAuthGetRequestToken parameter xoauth_displayname; setting this parameter triggers Google to use this identifier rather than the one set during registration and to include a message that the application identity can't be verified. For unregistered applications, use the display name parameter to specify the name of your application. If no display name is set for an unregistered application, Google shows the domain name of the URL specified in the OAuthGetRequestToken oauth_callback parameter; if no callback URL is provided, Google uses the string "anonymous".

    Displaying an authorization token. In some cases, an application will need to have the user manually convey the token verifier back to the web application. If the OAuthGetRequestToken parameter oauth_callback is left empty, Google will direct the user to a web page displaying a verification number (see example). The user must return to the application and enter the verification number.

    Tip: Use the OAuth Playground to experiment with requesting and receiving authorization tokens. To set the xoauth_displayname parameter, check the "Advanced" box before fetching the request token. 

  • Implement Federated Login. (optional)

    If you're implementing Federated Login for user authentication, you may want to use the hybrid protocol to combine the two processes. With OpenID+OAuth, the tasks of getting a request token and authorizing it are handled as part of the OpenID request with OAuth extensions. As with OAuthGetRequestToken, these extensions are used to identify the Google services to be accessed. A successful response to the OpenID request contains an authorized request token. Once this token is received, use OAuthGetAccessToken to exchange it for an access token.

    Note: Federated Login is not currently supported for Google Apps (hosted) accounts. Because token authorization is handled through OpenID, using the hd parameter is not an option.

  • Set up a mechanism to request access to a Google service.

    Refer to documentation on the Google service for information on the proper request format. All requests to a Google service must include a valid OAuth access token and be signed. In general, a request to a Google service is in the form of an HTTP GET (or POST if writing new data), with access token and signature referenced in the request header.

Migrating from AuthSub to OAuth

Here are some tips for developers who are switching their authorization method from Google AuthSub to OAuth:

  • If you've already registered with Google, you do not need to re-register, but you do need to specify the signature method you'll be using to sign all requests. If you choose to use the RSA-SHA1 signature method, you need to upload a security certificate as part of your domain's registration record.
  • If you've been using secure tokens under AuthSub, these tokens are equivalent to OAuth access tokens. These secure tokens can be used with OAuth requests.

Differences between the two protocols are discussed in the Using OAuth with the Google Data APIs article.

OAuth for Google Apps domain administrators

While OAuth authorization is available to all developers wishing to access the Google Data APIs, Google Apps Premier and Education Edition administrators can enable a special kind of OAuth for their hosted domains, called 2-legged OAuth.

2-legged OAuth allows domain administrators to create or customize third-party applications (controlled by their organization) to access their users' Google Data without the user's direct involvement or authorization. Specifically, an access token is not required as per the normal authorization flow, also referred to as 3-legged OAuth. Applications using 2-legged OAuth must be registered with Google.

As an example, this feature can be used to do things like integrate with document management systems, enable third-party workflow applications, centralize backup of documents and contacts, and monitor document sharing inside and outside of the company.

Enabling 2-legged OAuth on a hosted domain

  1. Configure your hosted domain to accept 2-legged OAuth requests.

    Go to the Google Apps administrative control panel for your domain, click on the 'Advanced tools' tab, and go to the Manage OAuth Access section (see example). Check the box "Enable Two-legged Auth".

  2. Set up your data request mechanism to make 2-legged OAuth requests.

    When sending access requests to Google services with 2-legged OAuth, you do not need an OAuth access token to access a user's data. Instead, include the xoauth_requestor_id query parameter in the request URL and set its value to the email address of the user whose data you are trying to access. Next, send the signed OAuth request using the HMAC-SHA1 signature method (the consumer key and secret are provided in the administrative control panel) or upload a public certificate to use RSA-SHA1. For more information on signing requests, see the Signing OAuth Requests section of this document.

Note: This feature is only available to Google Apps Premier and Education Edition domain administrators.

Example: Accessing a Google Data API feed

This example uploads an empty document, 'Company Perks', to j.doe@example.com's Google Documents:

POST /feeds/documents/private/full?xoauth_requestor_id=j.doe%40example.com HTTP/1.1
Host: http://docs.google.com
Content-Type: application/atom+xml
Authorization: OAuth 
oauth_version="1.0",
oauth_nonce="1c4fbbe4387a685829d5938a3d97988c",
oauth_timestamp="1227303732",
oauth_consumer_key="example.com",
oauth_signature_method="HMAC-SHA1",
oauth_signature="lqz%2F%2BfwtusOas8szdYd0lAxC8%3D"

<atom:entry xmlns:atom="http://www.w3.org/2005/Atom">
  <atom:category scheme="http://schemas.google.com/g/2005#kind"
                 term="http://schemas.google.com/docs/2007#document" />
  <atom:title>Company Perks</atom:title>
</atom:entry>

Note: The Authorization should be contained on a single line. Newlines have been inserted for clarity.

Here are a couple of points worth mentioning:

  • The oauth_token query parameter should not be included with the request.
  • The xoauth_requestor_id is included as a query parameter.
  • The request will only succeed if 2-legged OAuth has been enabled for the domain.