OAuth-WRAP Support

This is no longer supported. Refer to Google's authentication API documentation for supported techniques

1. Google’s Experimental OAuth-WRAP support

Google currently supports the use of the OAuth1.0/1.0a and OpenID/OAuth Hybrid protocols for accessing Google APIs (see documentation). Google is committed to providing support for OAuth2 in the future. As a milestone towards that goal, Google has implemented support for the OAuth-WRAP protocol which was a big influence on the design of OAuth2.

While Google does not plan to formally announce our OAuth-WRAP support, we are making it available on an experimental basis to show our progress towards support for OAuth2. Since OAuth-WRAP and OAuth2 share many of the same design characteristics, we are also hoping that some developers will leverage our experimental support to build prototypes of new types of applications that were very hard to create using OAuth1, but which are much easier on OAuth-WRAP and OAuth2.

2. Google’s Authorization Server OAuth-WRAP URLs

The OAuth-WRAP spec relies on the service provider, in this case Google, providing three primary URL endpoints. For Google those are:

User Authorization URL: https://www.google.com/accounts/WrapUserAuthorization

Access Token URL: https://www.google.com/accounts/WrapAccessToken

Refresh Token URL: https://www.google.com/accounts/WrapRefreshToken

3. Accessing a Protected Resource

The OAuth-WRAP Wrap spec enumerates a number of Profiles. A Profile, in brief, is a particular way of obtaining an access token, which is intended to solve a use case. Once you have the access token you always access a given data API (protected resource) in the same way as described in section 4 of the OAuth-WRAP spec. So one advantage of the protocol is that it groups together a number of use cases that were previously separate into a common process.

Sections 4.3-4.5 of the spec describe different ways to pass the access token in requests to the protected resource. Google supports all three methods to access a Protected Resource. For the techniques described in 4.4 and 4.5, the parameter name is wrap_access_token instead of access_token.

Google’s access tokens generally expire after an hour. Most profiles support refreshing the token in the same way, for example see section 6.2.8 of the spec.

4. Dev Token

The easiest way to experiment with OAuth-WRAP is to use the updated version of Google’s OAuth Playground. Follow the five steps in the playground (though leave step 2 set to RSA-SHA1) to authorize access to an API, such as Google Contacts, for a Google Account that you own. Once you have finished step 5, you can make a Google Contacts API request by posting the API endpoint URL into step 6, such as a request for a full dump of the address book. The URL for that is:

https://www.google.com/m8/feeds/contacts/default/full/

If you look in the bottom left hand corner, you will also notice a button labelled “get dev token.” If you press that button, then a “Test token” value will be displayed, along with information about how many seconds until it expires.

That token is an OAuth-WRAP access token, and can be used to make API requests to protected resources. For example, in your browser you can simply type

https://www.google.com/m8/feeds/contacts/default/full/?wrap_access_token=TOKEN

where TOKEN is replaced with the Test token value. You should then see a raw dump of your address book. The same screen that displays the token also describes how to use the popular curl utility to make API requests using that token. While it suggests sending the token in the HTTP header as “AuthSub token” you can also send it as the “WRAP access_token” to follow the exact OAuth-WRAP spec.

This developer token (OAuth-WRAP access token) makes it very easy for a developer to experiment with the Google APIs using their browser, or a tool such as curl. Google has started to mention this feature to our developer community, however we do not yet describe in our public documentation the method used to get the token, or the fact that it can be refreshed. We do not plan to do that until we support OAuth2.

5. Profiles

In addition to the OAuth Playground, there are four more common methods that a developer might use to get an access token with Google. There is a specific OAuth-WRAP profile for each method:

  • Web App Profile - Based on section 6.2 of the OAuth-WRAP spec

  • Rich App Profile - Based on section 6.3 of the OAuth-WRAP spec

  • JS Profile - The goal of this profile is to support access by pure-JavaScript without requiring any server side code. This use-case is not part of the OAuth-WRAP spec, but is part of the OAuth2 spec, so we are providing this profile as a milestone towards Google’s support of the OAuth2 JS profile. This profile is described below in “8. JavaScript Profile”

  • Bridge Profile - The goal of this profile is to enable an OAuth1.0/1.0a consumer to make a standard OAuth 1.0/1.0a signed request, and get back an OAuth-WRAP access token that can be used to access a protected resource as described in section 4 of the OAuth-WRAP spec. This use-case is not part of the OAuth-WRAP spec, but is part of the OAuth2 spec, so we are providing this profile as a milestone towards Google’s support of the OAuth2 JS profile. This profile is also used by the OAuth Playground to get the dev token. The Bride profile is described below in “9. Bridge Profile”

6. Google Data JS Library Support

One of the powerful properties of the OAuth-WRAP token is that the access token can be used without needing a digital signature. One way to leverage that property is to make cross-domain API calls directly from a JavaScript library. To make it easier to do this with Google APIs, Google has provided an experimental version of the JS library for our Google Data APIs that supports this mode. The main docs describe how to load this JS library, but for the experimental version you should instead use the command:

google.load('gdata', '2.x', { packages : ['experimental']});

A developer who wants to use that library can simply create a web browser cookie in their domain which contains the value of the access token. We refer to this as the “API cookie.” This is similar to the technique that Facebook’s JS library uses. Facebook uses the cookie name fbs_APP_ID while Google uses the cookie name g315. The Google cookie simply contains the value of the OAuth-WRAP access token.

A developer does not have to use the JS profile to get the access token for this API cookie. They can use any of the methods described above to get an access token, including using the OAuth Playground.

7. OAuth Widgets

Once a developer has the JS library working with OAuth, they can start to build JavaScript code on top of Google’s libraries. Google even provides specific JavaScript libraries based on JSON for manipulating specific APIs such as Google Contacts, Google Calendar, etc.

We use the term OAuth Widgets to refer to custom JavaScript code built on top of the Google Data JS library that use OAuth. Since these widgets are pure JavaScript, they can be written once and reused across websites. They will also work unmodified once Google formally supports OAuth2.

As an example, you can easily create an OAuth Widget to allow users to use type-ahead to choose email addresses from their Google Contact list to enter into a form input field.

We also want to work with the community to define standards so that these widgets can work with multiple service providers. In the example of the contact type-ahead widget, the widget should work with any service provider who supports OAuth2 and the Internet standard Portable Contacts API.

OAuth2 and Portable Contacts are a good step in the direction of standardizing OAuth widgets, but for true interoperability we need to standardize more layers of the open stack and the glue between the layers. We’re going to have a working session at the IIW conference, on May 17-19th 2010, to discuss - please join in the discussion if you’re interested.

8. JavaScript Profile

This Profile can be used to request an OAuth-WRAP access token directly from JavaScript running in a client browser.

The basics of the protocol are explained below. The user must be redirected to Google’s User Authorization URL with the following parameters:

  • wrap_client_id - The wrap_client_id parameter must be the host name and the port, if present, of the wrap_callback URL (this is also called the authority of the callback URL).

  • wrap_callback

  • wrap_scope

  • wrap_client_only=true

  • wrap_client_state - optional

If the user gives their approval, they are redirected to the callback URL. The access token and its expiration time are in the URL fragment, i.e., after the #. The following parameters are returned:

  • wrap_access_token

  • wrap_access_token_expires_in

  • wrap_client_state - if it was specified in the request

The above parameters are encoded as query parameters, and the resulting query string is put in the fragment.

The OAuth-WRAP access token has the same properties as an access token acquired in any of the other profiles.

If the user denies access, they are also redirected to the callback URL with the following parameters:

  • wrap_error_reason=user_denied

  • wrap_client_state - if it was specified in the request

9. Bridge Profile

To use this profile, the application (either web-app or installed-app) must first use Google’s current OAuth support to obtain an OAuth1 access token, NOT an OAuth-WRAP access token.

Advanced note: If the target user’s account is hosted on Google Apps for your Domain, then it is also possible to leverage Google’s special OAuth mode for those accounts.

The application can then make a signed OAuth1 request to the following Bridge URL

https://www.google.com/accounts/OAuthWrapBridge

Google returns two parameters

  • wrap_access_token

  • wrap_access_token_expires_in

This OAuth-WRAP access token has the same properties as an access token acquired in any of the other profiles.

10. Google App Engine and Microsoft Azure

If the developer is building a web application on Google App Engine, they can use Google’s OAuthProxy feature to make the signed OAuth1 requests to the Bridge URL. Once the App Engine app has the Access Token, it can use the standard App Engine URL Fetch function to make API calls. Alternatively, it can put the token in a cookie as described in section six above and use the token to make API calls directly from the JavaScript frontend of the web application.

Similarly, Microsoft’s Azure provides OAuth support in their Access Control Service. However Azure supports OAuth-WRAP directly instead of OAuth1. It should be possible to build an Azure application that uses their Access Control Service to connect directly to Google’s WRAP endpoints and obtain an OAuth-WRAP access token. If you get such an application working, please let us know. This will be another topic for a working session at the IIW conference, on May 17-19th 2010, to discuss - please join in the discussion if you’re interested.