Join The Community

Tuesday, June 7, 2011

Smart Login for Smart Applications

Posted by Unknown on 10:21 PM. - 1 comment

Do you design Web Applications?
Would you like to develop Sites that offer a personalized service to your customers?
If your answer is yes...you have to step into the world of OAuth and OpenID, if you haven't done it, yet.

First thing to do is to make clear what you can achieve.

Your application (called myApp), have to setup, for security and privacy reasons, a login page and you need to make sure that the user is really who claims to be
..and not an information thief.

On the other hand, users get bored  if they have to enter every time User ID and Password and  being forced to log in repeatedly they can sometimes make mistakes.

To avoid all that:

It is possibile to require, first time a user logs in, only the email address used for his Google account (or Facebook, LinkedIn, Twitter...).

If the user is already logged:
  • Google step in and ask: Dear user,  you really want me to talk with my friend myApp  and pass the data it needs?
  • The user answers yes and you're done...everything is easy!

If the user is not connected:
  • He/she logs in directly to Google, without providing the password to myApp
  • For you, a problem less; for users, extra Safety


     Moreover...

Next time myApp (together with Google) may let the user in without (apparently) any preliminary operation...just ask...dear Mary...it is really you?

Great Advantages:

For Users:
  • They  save an annoying and error prone process and may access to personal information and applications.


For you...it is an open door to a new world!
You can offer your Users:
  • a far easier access, if already connected to Google or Yahoo or Facebook
  • personalized services (you know who they are)
  • greater functionality, integrating (for example) with Google Apps or Social Networks
  • the capability to say to friends (by word of mouth)  how good myApp is


Behind the Scenes

..there are OpenId and OAuth


OpenID let you identify the user, make certain (nearly) that he is not cheating...
In technical terms it is called Identification or Authentication.

But myApp needs also some other information: Name, Address, document list...
and OAuth provides to myApp (the Consumer) for getting data directly from Google or Facebook or nearly any other Service Provider.
Service Providers give the Consumers the key to this information by means of an authorization token (a cryptic string).

Before starting the process, MyApp,  has to be acquainted with the Service. For example Google  requires:
  • the Application URL
  • the Callback URL that will be used by the service provider after the authorization process ( like  Ajax callback functions)
  • the Application Scope, used by Google to decide which data has to supply to myApp



The process
Here is an example of a login screen:


  • User inserts his Google account email and choose the Google button.
  • User will be redirected to a Google Page that says that myApp requires authorization within the declared scope.
  • If the user denies, Google will return an error code to myApp and the process ends
  • If the user accepts, Google will return an authorization code to myApp
  • myApp will send in POST to Google the authorization code together with the appropriate Secret ID (Application ID from Google )
  • Google returns the access token
  • myApp can use the Access token to get User resources




Just a bit of code...
Just few lines of code to implement what has been just described
We are going to use the following Google libraries:

http://code.google.com/p/google-api-java-client/wiki/DeveloperGuide


1) To build the URL for user redirect:

String SCOPE = "https://www.google.com/m8/feeds/"; /* for asking more than one scope, list them with spaces among them */
String CALLBACK_URL = "http://mia_callbackurl";
        HttpTransport TRANSPORT = new NetHttpTransport();
        JsonFactory JSON_FACTORY = new JacksonFactory();

       String CLIENT_ID = "mio_client_id";
       String CLIENT_SECRET = "mio_client_secret";

/* this is the redirect URL*/
String authorizeUrl = new GoogleAuthorizationRequestUrl(CLIENT_ID, CALLBACK_URL, SCOPE).build();   

2) After the user OK, Google will return to our callback URL the authorization token, which we can exchange with the access token in the following way:

String authorizationCode = request.getParameter("code");
GoogleAuthorizationCodeGrant authRequest = new GoogleAuthorizationCodeGrant(TRANSPORT,
                    JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, authorizationCode, CALLBACK_URL);
authRequest.useBasicAuthorization = false;
AccessTokenResponse authResponse = authRequest.execute();

String accessToken = authResponse.accessToken;
/* access token then we can use to access to the user resources   */       


What we are working at...

We are building a Web Application Cluster opened to all GTUGers.
Not only demos but working applications.
The authorization will be provided with the methods just described. (OpenId 2.0 and OAuth 2.0).



References

OAuth 2.0 Specification: http://tools.ietf.org/html/draft-ietf-oauth-v2-16

OAuth Protocol in Google: http://code.google.com/intl/it-IT/apis/accounts/docs/OAuth2.html#SS

Google SCOPE list: http://code.google.com/intl/it-IT/apis/gdata/faq.html#AuthScopes

Libraries Download:  http://code.google.com/p/google-api-java-client/wiki/Setup

OpenId : http://code.google.com/apis/accounts/docs/OpenID.html

Working Examples : http://www.puffypoodles.com/lso

Federated Login: https://sites.google.com/site/oauthgoog/UXFedLogin/emailonlylogin   

Antonella Blasetti (Lazio, Italy)

1 comments:

looks like an awesome article. But, the pics are broken. Please fix them

Post a Comment