Input Capable Devices

Currently Google's OAuth for Installed Applications support is designed for applications/devices that can launch a full web browser. However some devices like an XBox, AppleTV, Camera, etc. cannot launch a full browser. In the future Google will be launching an enhancement to its OAuth support to make it easier to handle this situation, but it is not yet available. To help guide device developers, we are documenting our current thoughts on how this enhancement will work. We also describe how a sophisticated developer could get this to work today without waiting on enhancements from Google.

Lets say the device is a Camera made by CoolPics, and it wants to include a feature to automatically upload photos to Google's Picasa service. The camera's onscreen menu would provide an option to "Connect to Google." Once selected, the user would be told to visit a URL hosted by CoolPics such as www.coolpics.com/connect on their computer. When the user opened that page, they would be shown an explanation of the process that is about to happen, and a button on the web page to "Connect to Google." Once that button was pressed, the user would be redirected to Google where they would need to login if they had not previously done so, and then they would be shown a standard OAuth approval page that asks if the device can access their Picasa service. Assuming the user says yes, they will be redirected back to the CoolPics website to another page. That page would display a code that Google's servers had generated and included in the URL redirect back to CoolPics. The page could then provide pictures, or even a video, of how to use the camera's onscreen menu to enter that code into the "Connect to Google" wizard. If they entered the code properly, then the device would now have access to the user's photos.

This approach will require the device developer to perform the user interaction steps of OAuth from a website, and the device will only need to make a simple REST API call to Google to swap the code for a long-lived OAuth token. That token can then be used in the future to make API calls as described in Google's OAuth WRAP documentation for accessing a protected resources.

If you do not want to wait for Google to add this enhancement, it is possible to achieve the same user experience today by having the example CoolPics website use the standard OAuth for Installed Applications flow, and then generate its own code that will be displayed to the user. In that case, the device will need to make a REST API call to the CoolPics server to swap the code for the long-lived OAuth token and secret that the CoolPics server received from Google.