You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by daviesd <da...@oclc.org> on 2011/12/19 15:45:32 UTC
OAuth2 PopUp
I have a question about the Oauth 2.0 popup flow. I¹m looking at OAuth¹s
1.0 flow, because I¹m not seeing corresponding documentation for 2.0.
http://shindig.apache.org/shindig-1.1.x/shindig-features/jsdoc/symbols/gadge
ts.oauth.Popup.html
Anyway... 1 of my questions is... WHO closes the popup window? Is that
spec¹d out somewhere? Is it the authorization server that does that or am I
missing something in the flow? I see the popup polls the window to detect
when it¹s closed and then tries to fetchData again.
Secondly... we have a need to redirect to the oauthApprovalUrl, but our
implementation doesn¹t have any UI. It just uses the request data to
authorize. Thus I really don¹t need a popup, so it would be desirable to
have the gadget just make the request without having to click on a link.
However, this will get stopped by popup blockers. Is there another way of
doing this via maybe an hidden iframe or something? But how would I detect
it¹s done? Ideas?
Thanks,
doug
Re: OAuth2 PopUp
Posted by daviesd <da...@oclc.org>.
Oh, that¹s nasty... :) I should have looked in the callback servlet.
// This bit of magic passes the entire callback URL into the opening
gadget for later use.
// gadgets.io.makeRequest (or osapi.oauth) will then pick up the callback
URL to complete the
// oauth dance.
private static final String RESP_BODY =
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" " +
"\"http://www.w3.org/TR/html4/loose.dtd\">\n" +
"<html>\n" +
"<head>\n" +
"<title>Close this window</title>\n" +
"</head>\n" +
"<body>\n" +
"<script type='text/javascript'>\n" +
"try {\n" +
" window.opener.gadgets.io.oauthReceivedCallbackUrl_ =
document.location.href;\n" +
"} catch (e) {\n" +
"}\n" +
"window.close();\n" +
"</script>\n" +
"Close this window.\n" +
"</body>\n" +
"</html>\n";
Ok, so now I see how the window is getting closed. But I¹m still thinking
of a way to do this flow without a popup.
doug
On 12/19/11 9:45 AM, "daviesd" <da...@oclc.org> wrote:
> I have a question about the Oauth 2.0 popup flow. I¹m looking at OAuth¹s 1.0
> flow, because I¹m not seeing corresponding documentation for 2.0.
>
> http://shindig.apache.org/shindig-1.1.x/shindig-features/jsdoc/symbols/gadgets
> .oauth.Popup.html
>
> Anyway... 1 of my questions is... WHO closes the popup window? Is that spec¹d
> out somewhere? Is it the authorization server that does that or am I missing
> something in the flow? I see the popup polls the window to detect when it¹s
> closed and then tries to fetchData again.
>
> Secondly... we have a need to redirect to the oauthApprovalUrl, but our
> implementation doesn¹t have any UI. It just uses the request data to
> authorize. Thus I really don¹t need a popup, so it would be desirable to have
> the gadget just make the request without having to click on a link. However,
> this will get stopped by popup blockers. Is there another way of doing this
> via maybe an hidden iframe or something? But how would I detect it¹s done?
> Ideas?
>
> Thanks,
> doug