application that uses OAuth and javascript [closed]

About

Asked 3/8, 2009 at 9:18 Answered 23/8, 2012 at 20:34

I am planning to create an app that uses JavaScript and it needs to use OAuth to authenticate user for a website. Can anyone help me out please? Any sample code? I know about the Google Code Javascript OAuth library but I am not sure how to implement that..

Herringbone answered 3/8, 2009 at 9:18 Comment(0)

There is a JS client implementation for OAuth here: https://developers.google.com/identity/protocols/OAuth2UserAgent

It contains example code to get you running. Basically, what you do is this:

var url = "...";
var accessor = {
  token: "...",
  tokenSecret: "...",
  consumerKey : "...",
  consumerSecret: "..."
};

var message = {
  action: url,
  method: "GET",
  parameters: {...}
};

OAuth.completeRequest(message, accessor);        
OAuth.SignatureMethod.sign(message, accessor);
url = url + '?' + OAuth.formEncode(message.parameters);

// send request to 'url'
...

Cheers, Matthias

Karleen answered 17/8, 2009 at 9:10 Comment(12)

I think tokenSecret and consumerSekret parameters are supposed to be secret! How could they remain secret when downloaded to browser?!!! – Regorge 26/2, 2010 at 20:4

By using SSL, for instance. But, yes, OAuth in a browser environment is certainly suspect to security problems. – Karleen 28/2, 2010 at 13:47

Is this for oAuth 1.0a or 2.0? – Malvie 9/6, 2011 at 3:54

1.0(a). You make a good point though. If you have control over the service provider, too, I would suggest to opt for OAuth 2, since it simplifies many of the things that developers and protocol implementors struggle with. – Karleen 9/6, 2011 at 7:30

Even if you use SSL, what is difference? Man who made SSL request and saved response to hard drive can read everything easily. And for public applications anyone can make such request. It is completely insecure to use secret variables in JavaScript. – Somali 23/5, 2012 at 9:13

Why is it? Why is the 'secret' a secret from the user. It is no different from the session_id which is stored in a cookie. Just because it is named 'secret' does not make it a secret from everyone. – Pliam 7/8, 2012 at 1:43

I'm a newbie. I managed to proceed with your answer. Could you please tell me how to send request to 'url'? I tried var xhr = new XMLHttpRequest();xhr.open("GET", url, true); xhr.send(); it gives me a DOM exception. – Schnorkle 10/3, 2013 at 14:56

I'm able to get request token verifier from the library(oauth.googlecode.com/svn/code/javascript), But got stuck in getting the access token.. can someone tell me where i'm doing it wrong? here is the code : #19240307 – Circumsolar 8/10, 2013 at 6:5

@Mark: The consumerSecret is supposed to be secret even from the user. Say site Alice.com uses OAuth service of Facebook. Now user Bob accesses site Alice.com via his Facebook credentials. Later on, attacker gets the consumerSecret from JS code, and impersonates site Alice.com. He knows Bob is registered there. He creates a fake site for Bob to open when logged on to Facebook. Now attacker gets access to all of Bob's personal details on Facebook. – Saltillo 31/10, 2013 at 5:22

@har for a GET request, you can simply do document.location = url + '?' + OAuth.formEncode(message.parameters); so you get the result in the web browser (I use moz-rewrite addon to remove the Content-Disposition response header so Firefox doesn't force the download and displays result with JSONView addon). You can also use AJAX if you don't want to display the result, see w3schools.com/ajax/ajax_xmlhttprequest_send.asp. And if you want to use a POST request and display result, you can create an HTML form with JavaScript, see https://mcmap.net/q/45092/-javascript-post-request-like-a-form-submit. – Venator 9/12, 2015 at 18:24

As of 13/5/2016 oauth.googlecode.com/svn/code/javascript is 404 - if you're using this, grab the code quickly – Llywellyn 13/5, 2016 at 12:21

@MalcolmBox yes, here are the latest archived versions: web.archive.org/web/20160430213618/https://oauth.googlecode.com/… web.archive.org/web/20160430213618/http://oauth.googlecode.com/… I made an example to use Twitter API 1.1 in the browser: gist.github.com/baptx/ffb268758cd4731784e3 It is possible to backup favorites, following and followers: gist.github.com/baptx/1525f338d93fa01db4e0 – Venator 25/5, 2018 at 17:31

The mentioned security problems can be solved via YQL: http://derek.io/blog/2010/how-to-secure-oauth-in-javascript/

Knudsen answered 22/7, 2011 at 0:41 Comment(1)

At least to some extent. But then you rely on someone else's backend technology instead of your own or none - which was the original goal. – Diarmit 2/7, 2012 at 15:6

I've written a generic OAuth 2.0 javascript library.

JSO Javascript OAuth 2.0 Library

Slugabed answered 23/8, 2012 at 20:34 Comment(1)

can you post an example of how to authenticate to a custom Google App Engine application? I have been struggling with this for 2 days now. Your library doesn't seem to support the 3 callback urls, OAuthGetRequestToken, OAuthAuthorizeToken and 'OAuthGetAccessToken`? – Son 19/5, 2013 at 4:27

If you're writing a Firefox (or other Mozilla) addon, consider oauthorizer. I'm using this for the latest version of goo.gl lite. However, I did hit some issues getting this approved for the Mozilla Add-Ons site, which I'm currently working through.

Megan answered 20/5, 2012 at 14:25 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags