You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by daviesd <da...@oclc.org> on 2011/12/19 15:45:32 UTC

OAuth2 PopUp

I have a question about the Oauth 2.0 popup flow.  I¹m looking at OAuth¹s
1.0 flow, because I¹m not seeing corresponding documentation for 2.0.

http://shindig.apache.org/shindig-1.1.x/shindig-features/jsdoc/symbols/gadge
ts.oauth.Popup.html

Anyway... 1 of my questions is... WHO closes the popup window?  Is that
spec¹d out somewhere?  Is it the authorization server that does that or am I
missing something in the flow?  I see the popup polls the window to detect
when it¹s closed and then tries to fetchData again.

Secondly... we have a need to redirect to the oauthApprovalUrl, but our
implementation doesn¹t have any UI.  It just uses the request data to
authorize.  Thus I really don¹t need a popup, so it would be desirable to
have the gadget just make the request without having to click on a link.
However, this will get stopped by popup blockers.  Is there another way of
doing this via maybe an hidden iframe or something?  But how would I detect
it¹s done?  Ideas?

Thanks,
doug

Re: OAuth2 PopUp

Posted by daviesd <da...@oclc.org>.

Oh, that¹s nasty... :)  I should have looked in the callback servlet.

  // This bit of magic passes the entire callback URL into the opening
gadget for later use.
  // gadgets.io.makeRequest (or osapi.oauth) will then pick up the callback
URL to complete the
  // oauth dance.
  private static final String RESP_BODY =
    "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" " +
    "\"http://www.w3.org/TR/html4/loose.dtd\">\n" +
    "<html>\n" +
    "<head>\n" +
    "<title>Close this window</title>\n" +
    "</head>\n" +
    "<body>\n" +
    "<script type='text/javascript'>\n" +
    "try {\n" +
    "  window.opener.gadgets.io.oauthReceivedCallbackUrl_ =
document.location.href;\n" +
    "} catch (e) {\n" +
    "}\n" +
    "window.close();\n" +
    "</script>\n" +
    "Close this window.\n" +
    "</body>\n" +
    "</html>\n";

Ok, so now I see how the window is getting closed.  But I¹m still thinking
of a way to do this flow without a popup.

doug


On 12/19/11 9:45 AM, "daviesd" <da...@oclc.org> wrote:

> I have a question about the Oauth 2.0 popup flow.  I¹m looking at OAuth¹s 1.0
> flow, because I¹m not seeing corresponding documentation for 2.0.
> 
> http://shindig.apache.org/shindig-1.1.x/shindig-features/jsdoc/symbols/gadgets
> .oauth.Popup.html
> 
> Anyway... 1 of my questions is... WHO closes the popup window?  Is that spec¹d
> out somewhere?  Is it the authorization server that does that or am I missing
> something in the flow?  I see the popup polls the window to detect when it¹s
> closed and then tries to fetchData again.
> 
> Secondly... we have a need to redirect to the oauthApprovalUrl, but our
> implementation doesn¹t have any UI.  It just uses the request data to
> authorize.  Thus I really don¹t need a popup, so it would be desirable to have
> the gadget just make the request without having to click on a link.  However,
> this will get stopped by popup blockers.  Is there another way of doing this
> via maybe an hidden iframe or something?  But how would I detect it¹s done?
> Ideas?
> 
> Thanks,
> doug