GMail and Google Calendar with OpenID and OAuth

openid_oauth

Have you ever wondered how you can display email and calendar events from Google in your own web site? Or how you can log in to your site using your Google account? Both staff and students at Norwegian School of Information Technology (NITH) use GMail and Google Calendar for internal communication. They hired BEKK to implement a new web site and intranet application. One of the features they wanted was GMail and Google Calendar integrated into their intranet, with a custom visual styling.

To achieve this we decided to use Google’s OpenID+OAuth hybrid protocol – a  draft specification proposed by Google.

OpenID is an open standard for web site authentication. An OpenID consumer web site (for example an intranet or a wiki) can delegate user authentication to a centralised OpenID provider web site (for example MyOpenID.com or Google). This means less usernames and passwords to remember for end-users and single-sign-on (SSO) becomes easy to implement.

OAuth is an open standard for web site authorisation. This lets an OAuth consumer web site send and retrieve private information to/from an OAuth provider web site on behalf of an end-user.

NITH was kind enough to let us share some of the code we developed for them to illustrate how all of this works. The result is a simple web application that you can try out with your own Google account. The source code is available under the MIT license and you can download it from GitHub. Both the sample application and the NITH.no site are hosted on Heroku, a top-notch hosting provider for Ruby on Rails running on top of Amazon’s EC2 cloud. The applications are written in Ruby on Rails, but you can easily implement similar functionality on other platforms such as JEE, .NET, PHP etc using freely available OpenID and OAuth libraries.

Let’s first look at the user workflow. (The workflow illustrated here is a slight modification of how NITH’s intranet works).

1) The user follows the Login link on the front page of the consumer application.

internet

2) The user is redirected to Google’s login page and logs in (OpenID authentication).

openid

3) The user authorises the Intranet application to access GMail and Google Calendar (OAuth).

oauth

4) The user is redirected back to the consumer application which displays GMail and Google Calendar.

intranet

If the user checks the “remember me” checkboxes, step 2 and 3 will be skipped in the future.

If you want to implement a similar integration with Google in your own application, here are the main steps:

Register your domain at Google

Google’s OAuth service requires any OAuth consumer to be pre-registered before it can use the service. To do this, go to Google’s Domain registration page and register information about your site. You only have to register the domain name.

Google will then provide you with a static HTML file that you must serve from your domain. When you have uploaded this HTML file, click “verify domain” on Google’s registration page.

Use your OAuth consumer secret

When you register your domain with Google, you will also be given an OAuth consumer secret (a simple String token) that your consumer application must use when connecting to Google. This consumer secret is bound to the domain name, so it cannot be used from any other host, including localhost.

Find an OpenID library that supports Google’s OpenID+OAuth hybrid protocol

This is the hardest part. The natural choice for a Rails application using OpenID is to use the “official” ruby-openid library. However, this library doesn’t support the hybrid protocol, so we had to use Aslak’s fork of Pelle Braendgaard’s ruby-openid fork. We also had to use Pelle’s slightly modified fork of Rails’ open_id_authentication library.

Until the OpenID+OAuth hybrid protocol becomes an official extension to the OpenID protocol you will not find support for it in all OpenID libraries, but they are all open source – so you have the freedom to add this yourself. Open source wins again.

Summing up

OpenID and OAuth are supported by an increasing number of libraries and web sites. Google is by no means the only site supporting the protocols (and to be honest – Google’s implementation deviates a little from the standard). If you are considering implementing some kind of single sign on we recommend you consider these protocols.

This entry was written by Aslak Hellesøy og Thor Henrichsen, posted on 18/12/2009 at 10:34, filed under Fri Programvare, Sikkerhet, Virksomhet 2.0, Webarkitektur and tagged , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

9 Comments

  1. shyam krishna khadka
    Posted 04/01/2010 at 10:35 | Permalink

    Very Nice article.But i wonder if there is a way to use hybrid protocol with localhost as well for testing or in development environment,though i have a domain registered for google.

  2. Thor Marius Henrichsen
    Posted 05/01/2010 at 08:11 | Permalink

    @shyam: There might be a way of making it work from localhost, but we did not figure out how to accomplish this. It seems like the oauth secret key is bound to the domain making the oauth request. Instead we deployed our app to Heroku so that we could easily develop – deploy – run the application in a short cycle.

    If you find a way to make the hybrid protocol work from localhost please let us know!

  3. shyam krishna khadka
    Posted 06/01/2010 at 03:58 | Permalink

    Sorry i couldn’t find any way to work with localhost.
    I tried with several options but it didn’t work for me with reference to this documentation http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
    Instead i deployed the application and made hybrid protocol work.

  4. Rune Botten
    Posted 13/01/2010 at 11:29 | Permalink

    I dont think you’re absolutely right about the OAuth consumer secret being tied to the registered domain, it can be used from localhost. It is tied to the registered domain in the sense that you can only redirect to that domain after authorization at Google. In that redirect is an oauth_verifier get-param which you need for swapping an authorized request token for an access token.

    Once you have that access token though, you can use it locally. I just confirmed this in IRB locally doing YouTube Data API requests with an access token, after copy-pasting the oauth_verifier from the Google redirect to my registered Heroku domain. The request token was created and swapped for an access token locally. If you plug something like Mechanize in there to authorize at Google and get the verifier from the redirect, you’d have at least the OAuth thing going for you locally.

    The hybrid protocol might be a whole other thing.

    I wrote a blog post on Ruby, OAuth and YouTube which should supply the needed info, http://runerb.com/2010/01/12/ruby-oauth-youtube.

  5. Aslak Hellesøy
    Posted 14/01/2010 at 17:07 | Permalink

    Thanks Rune. I’ll try this out the next time I use OAuth. You’re right that it might be a hybrid protocol thing – I haven’t really tried OAuth against any other OAuth providers.

  6. Shyam Krishna Khadka
    Posted 05/02/2010 at 11:57 | Permalink

    Thanks for nice article.
    But I wonder if there is a way so that users can login with their Google Apps account as well using Open ID + OAuth as in your example.
    Any suggestions are highly welcomed!!

  7. Aslak Hellesøy
    Posted 08/02/2010 at 14:17 | Permalink

    Shyam,

    I haven’t tested if use you Google Apps credentials to log into a site that uses Google as OpenID provider. I would think you can. If you have a Google Apps account you can try it out with our demo app.

  8. Shyam Krishna Khadka
    Posted 09/02/2010 at 04:01 | Permalink

    No I couldn’t find a way so that open Id authentication gets successful with google apps accout.
    I changed IDENTITY URL to “https://www.google.com/accounts/o8/site-xrds?hd=mydomain.com” which redirects user to Google Apps login page instead of Google login page and goes for OAuth process as in step #3 of above example.But when I click allow button,It says open Id Authentication failed.
    Any ideas????

  9. Thor Marius Henrichsen
    Posted 19/02/2010 at 10:01 | Permalink

    @Shyam

    We have actually implemented this with a GApps account. It’s a while since we did this now, so I don’t remember all the nitty gritty details. What I do remember is that we had the same problem until we figured out that we had to publish a xrds document at http://example.com/openid in order for the discovery to work. Google will access this URL in the openid discovery process.

    There’s also something about a host-meta document that should be hosted on http://example.com/.well-known/host-meta, but I don’t remember if the latter is really neccessary.

    Checkout http://nith.no/openid and http://nith.no/.well-known/host-meta for an example on how we did it.

Post a Comment

Your email is never shared. Required fields are marked *

*
*

Spam Protection by WP-SpamFree