Do we need to hide the google oauth client id? - google-api

everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.

You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.

Related

Google integration in web application

I want to integrate gmail and google calendar in my web application. I can login via google and make api calls to either gmail OR google calendar API, depending on the authorisation that I request from google.
I have not found a way to request authorisation for more than one APIs simultaneously. Is this even possible? Is it possible to receive one access token in order to use it for requests against more than one of Google's APIs?
As far as I know it can be done. If you try testing it in Google Oauth 2.0 Playground and select multiple API scopes.
"scope": "https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive"
It should look like this:
Hope this helps.

ID Token Verification doesn't actually require a client ID/audience?

While developing an iOS and Android app for a backend API, I'm using separate client IDs for each. However, I noticed something that I find odd, and I'm hoping someone can explain why this works and if it's ok to work this way.
What I noticed is that if my backend API code supplies the Google Sign In client object with a client ID during instantiation, then it must match the client ID used by iOS or Android. (The client ID is called "audience" in the Google API code.) However, if my backend API code do NOT supply the Google Sign In client object with a client ID, then iOS/Android will always validate.
This is how it works whether you use php, java, nodejs, etc.
I expected not using a client ID to fail, same as using a mismatched client ID.
So, my questions: Is it valid to have the backend server validate ID tokens without specifying a client ID? Is there anything wrong or unsafe with doing it this way? What's the point of having the second part of the if statement that checks to make sure that client.audience (if set) match idtoken.audience, if you can just leave client.audience blank and it works anyway?
I wonder about this because related documentation, such as the Android docs, state this as part of the verification process when authenticating with a backend:
The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
If the point is to prevent malicious apps from doing bad things, why is valid to simply not use a client ID during verification?
Thanks in advance! I'm hoping someone can help me understand this. I haven't found a solid answer in Google's documentation.

Can the Google API request details about itself?

Facebook Applications can request details about themselves, which is helpful as we only need to grab the id and secret for an application and can load the rest from Facebook. Is it possible to do the same with googles API acces?
It doesn't seem possible to introspect with the Google API.

Api and consumer flow

I am developing an API for a social network website. This API will basically get all the requests from the users (get friend list, post a status update etc) and reply back if necessary.
We will implement OAuth 2.0 protocol for authentication. Consumer (our php project) has API id and secret.
Basic scenario:
Client wants to log in
API Consumer (php web project) takes this request, directs user to API
User send his/her user credentials to the api, gets the token.
User comes back to our website, pass token to the consumer.
Consumer goes to the api server, gets the access token.
Now consumer (php project) has access to user's private information.
Since this is a social network website, we want app developers to be able to use our API in the future.
I am not experienced in API-design. Does that flow make sense? I guess the simplest authentication would be accessing user information through php project. But we don't want to access database in php code. We will use ajax in client side and send a request to the API. And I believe there should be a better solution, what would you suggest?
Sure, API design is basically point where you need to choose technology.
Either it can be PHP or .net or Java.
I would prefer either PHP or .Net as we get lot of flexibility in it.
API will return XML or Json depending upon the request.
There are lot of CMS in php which can be helped.
.net we have Service Stack to help you.
API's had to be fully independent from other world as well as within API method as well.
If you are able to achieve this, then you will surely create a good architecture.

how to interpret google api oauth callback

i'm attempting to gain access to my own gmail account via a sinatra app i'm building. i'm sending a request to the google api in the form of
https://accounts.google.com/o/oauth2/auth?response_type=code&&scope=https://mail.google.com/+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&client_id=XXXXXXXXXXXX.apps.googleusercontent.com&redirect_uri=http://localhost:9393/oauth2callback&access_type=online
and after I authorize the app via google's web interface, i'm getting what appears to be a correct callback to my own sinatra app. I'm unclear what I do next in this process. what i'm getting from the google auth system looks like
http://localhost:9393/oauth2callback?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
I'm then attempting to use the xoauth gem to then query google for information about my account, ie, https://github.com/nfo/gmail_xoauth
My hope is that the xxxxxx.yyyy string above corresponds in some way to value of
:token as written in the xoauth gem documentation. when I run a local script to check if things are working correctly, i'm getting a Invalid credentials (Failure) (Net::IMAP::NoResponseError)
the documentation i'm using to understand the oauth process is https://developers.google.com/accounts/docs/OAuth2WebServer
i don't think i'm handling the callback correctly or either i'm misinterpreting what it is.
Thoughts?
Google has only added support for OAuth 2 authorization for GMail IMAP/SMTP recently. The library you are using however does not support this yet.
So your options are:
Improving the library yourself (would be my recommendation)
Waiting for the library to update
Falling back to the already deprecated OAuth 1

Resources