Package com.google.api.client.googleapis.auth.oauth

Google's additions to OAuth 1.0a authorization as specified in Google's OAuth API Reference (see detailed package specification).

See:
Description

Class Summary

GoogleOAuthAuthorizeTemporaryTokenUrl	Google OAuth 1.0a URL builder for a Google Accounts web page to allow the end user to authorize the temporary token.
GoogleOAuthDomainWideDelegation	Google's OAuth domain-wide delegation requires an e-mail address of the user whose data you are trying to access via GoogleOAuthDomainWideDelegation.requestorId on every HTTP request.
GoogleOAuthDomainWideDelegation.Url	Generic URL that extends GoogleUrl and also provides the GoogleOAuthDomainWideDelegation.Url.requestorId parameter.
GoogleOAuthGetAccessToken	Generic Google OAuth 1.0a URL to request to exchange the temporary credentials token (or "request token") for a long-lived credentials token (or "access token") from the Google Authorization server.
GoogleOAuthGetTemporaryToken	Generic Google OAuth 1.0a URL to request a temporary credentials token (or "request token") from the Google Authorization server.

Package com.google.api.client.googleapis.auth.oauth Description

Google's additions to OAuth 1.0a authorization as specified in Google's OAuth API Reference (see detailed package specification).

Package Specification

Before using this library, you need to set up your application as follows:

1. For a web application, you should first register your application at the Manage Your Domains page. See detailed instructions at the registration page. Take note of the following OAuth information you will need:
   • OAuth Consumer Key (same as your appspot domain): use this as the consumerKey on every OAuth request, for example in AbstractOAuthGetToken.consumerKey.
   • OAuth Consumer Secret: use this as the OAuthHmacSigner. clientSharedSecret when using the "HMAC-SHA1" signature method.
   • Upload new X.509 cert: See the instructions for generating a self-signing private key and public certificate. Use OAuthRsaSigner for this "RSA-SHA1" signature method.
     • Example for generating private key and public certificate:

       
       # Generate the RSA keys and certificate
       keytool -genkey -v -alias Example -keystore ./Example.jks\
         -keyalg RSA -sigalg SHA1withRSA\
         -dname "CN=myappname.appspot.com, OU=Engineering, O=My_Company, L=Mountain  View, ST=CA, C=US"\
         -storepass changeme -keypass changeme
       # Output the public certificate to a file
       keytool -export -rfc -keystore ./Example.jks -storepass changeme \
         -alias Example -file mycert.pem

2. For an installed application, an unregistered web application, or a web application running on localhost, you must use the "HMAC-SHA1" signature method. Use "anonymous" for the consumerKey and clientSharedSecret.

After the set up has been completed, the typical application flow is:

1. Request a temporary credentials token ("request token") from the Google Authorization server using GoogleOAuthGetTemporaryToken. A callback URL should be specified for web applications, but does not need to be specified for installed applications.
2. Direct the end user to a Google Accounts web page to allow the end user to authorize the temporary token using using GoogleOAuthAuthorizeTemporaryTokenUrl.
3. After the user has granted the authorization:
   • For web applications, the user's browser will be redirected to the callback URL which may be parsed using OAuthCallbackUrl.
   • For installed applications, use "" for the verification code.
4. Request to exchange the temporary token for a long-lived access token from the Google Authorization server using GoogleOAuthGetAccessToken. This access token must be stored.
5. Use the stored access token to authorize HTTP requests to protected resources in Google services by setting the OAuthParameters.token and using OAuthParameters as the HttpRequestInitializer.
6. For 2-legged OAuth, use GoogleOAuthDomainWideDelegation as a request execute interceptor to set the e-mail address of the user on every HTTP request, or GoogleOAuthDomainWideDelegation.Url as a generic URL builder with the requestor ID parameter.
7. To revoke an access token, use GoogleOAuthGetAccessToken.revokeAccessToken(com.google.api.client.http.HttpTransport, com.google.api.client.auth.oauth.OAuthParameters). Users can also manually revoke tokens from Google's change authorized websites page.

Warning: this package is experimental, and its content may be changed in incompatible ways or possibly entirely removed in a future version of the library

Since:

1.0

Author:

Yaniv Inbar