GMail and Google Calendar with OpenID and OAuth

openid_oauth

Have you ever wondered how you can display email and calendar events from Google in your own web site? Or how you can log in to your site using your Google account? Both staff and students at Norwegian School of Information Technology (NITH) use GMail and Google Calendar for internal communication. They hired BEKK to implement a new web site and intranet application. One of the features they wanted was GMail and Google Calendar integrated into their intranet, with a custom visual styling.

To achieve this we decided to use Google’s OpenID+OAuth hybrid protocol – a  draft specification proposed by Google.

OpenID is an open standard for web site authentication. An OpenID consumer web site (for example an intranet or a wiki) can delegate user authentication to a centralised OpenID provider web site (for example MyOpenID.com or Google). This means less usernames and passwords to remember for end-users and single-sign-on (SSO) becomes easy to implement.

OAuth is an open standard for web site authorisation. This lets an OAuth consumer web site send and retrieve private information to/from an OAuth provider web site on behalf of an end-user.

NITH was kind enough to let us share some of the code we developed for them to illustrate how all of this works. The result is a simple web application that you can try out with your own Google account. The source code is available under the MIT license and you can download it from GitHub. Both the sample application and the NITH.no site are hosted on Heroku, a top-notch hosting provider for Ruby on Rails running on top of Amazon’s EC2 cloud. The applications are written in Ruby on Rails, but you can easily implement similar functionality on other platforms such as JEE, .NET, PHP etc using freely available OpenID and OAuth libraries.

Let’s first look at the user workflow. (The workflow illustrated here is a slight modification of how NITH’s intranet works).

1) The user follows the Login link on the front page of the consumer application.

internet

2) The user is redirected to Google’s login page and logs in (OpenID authentication).

openid

3) The user authorises the Intranet application to access GMail and Google Calendar (OAuth).

oauth

4) The user is redirected back to the consumer application which displays GMail and Google Calendar.

intranet

If the user checks the “remember me” checkboxes, step 2 and 3 will be skipped in the future.

If you want to implement a similar integration with Google in your own application, here are the main steps:

Register your domain at Google

Google’s OAuth service requires any OAuth consumer to be pre-registered before it can use the service. To do this, go to Google’s Domain registration page and register information about your site. You only have to register the domain name.

Google will then provide you with a static HTML file that you must serve from your domain. When you have uploaded this HTML file, click “verify domain” on Google’s registration page.

Use your OAuth consumer secret

When you register your domain with Google, you will also be given an OAuth consumer secret (a simple String token) that your consumer application must use when connecting to Google. This consumer secret is bound to the domain name, so it cannot be used from any other host, including localhost.

Find an OpenID library that supports Google’s OpenID+OAuth hybrid protocol

This is the hardest part. The natural choice for a Rails application using OpenID is to use the “official” ruby-openid library. However, this library doesn’t support the hybrid protocol, so we had to use Aslak’s fork of Pelle Braendgaard’s ruby-openid fork. We also had to use Pelle’s slightly modified fork of Rails’ open_id_authentication library.

Until the OpenID+OAuth hybrid protocol becomes an official extension to the OpenID protocol you will not find support for it in all OpenID libraries, but they are all open source – so you have the freedom to add this yourself. Open source wins again.

Summing up

OpenID and OAuth are supported by an increasing number of libraries and web sites. Google is by no means the only site supporting the protocols (and to be honest – Google’s implementation deviates a little from the standard). If you are considering implementing some kind of single sign on we recommend you consider these protocols.

Denne posten er skrevet av Aslak Hellesøy og Thor Henrichsen og lagt ut 18/12/2009
Kategori Fri Programvare, Sikkerhet, Virksomhet 2.0, Webarkitektur
Merket som , , , , , , .
  • http://skkhadka.com.np shyam krishna khadka

    Very Nice article.But i wonder if there is a way to use hybrid protocol with localhost as well for testing or in development environment,though i have a domain registered for google.

  • Thor Marius Henrichsen

    @shyam: There might be a way of making it work from localhost, but we did not figure out how to accomplish this. It seems like the oauth secret key is bound to the domain making the oauth request. Instead we deployed our app to Heroku so that we could easily develop – deploy – run the application in a short cycle.

    If you find a way to make the hybrid protocol work from localhost please let us know!

  • http://skkhadka.com.np shyam krishna khadka

    Sorry i couldn’t find any way to work with localhost.
    I tried with several options but it didn’t work for me with reference to this documentation http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
    Instead i deployed the application and made hybrid protocol work.

  • http://www.runerb.com Rune Botten

    I dont think you’re absolutely right about the OAuth consumer secret being tied to the registered domain, it can be used from localhost. It is tied to the registered domain in the sense that you can only redirect to that domain after authorization at Google. In that redirect is an oauth_verifier get-param which you need for swapping an authorized request token for an access token.

    Once you have that access token though, you can use it locally. I just confirmed this in IRB locally doing YouTube Data API requests with an access token, after copy-pasting the oauth_verifier from the Google redirect to my registered Heroku domain. The request token was created and swapped for an access token locally. If you plug something like Mechanize in there to authorize at Google and get the verifier from the redirect, you’d have at least the OAuth thing going for you locally.

    The hybrid protocol might be a whole other thing.

    I wrote a blog post on Ruby, OAuth and YouTube which should supply the needed info, http://runerb.com/2010/01/12/ruby-oauth-youtube.

  • http://twitter.com/aslak_hellesoy Aslak Hellesøy

    Thanks Rune. I’ll try this out the next time I use OAuth. You’re right that it might be a hybrid protocol thing – I haven’t really tried OAuth against any other OAuth providers.

  • http://www.skkhadka.com.np Shyam Krishna Khadka

    Thanks for nice article.
    But I wonder if there is a way so that users can login with their Google Apps account as well using Open ID + OAuth as in your example.
    Any suggestions are highly welcomed!!

  • http://twitter.com/aslak_hellesoy Aslak Hellesøy

    Shyam,

    I haven’t tested if use you Google Apps credentials to log into a site that uses Google as OpenID provider. I would think you can. If you have a Google Apps account you can try it out with our demo app.

  • http://www.skkhadka.com.np Shyam Krishna Khadka

    No I couldn’t find a way so that open Id authentication gets successful with google apps accout.
    I changed IDENTITY URL to “https://www.google.com/accounts/o8/site-xrds?hd=mydomain.com” which redirects user to Google Apps login page instead of Google login page and goes for OAuth process as in step #3 of above example.But when I click allow button,It says open Id Authentication failed.
    Any ideas????

  • http://www.bekk.no Thor Marius Henrichsen

    @Shyam

    We have actually implemented this with a GApps account. It’s a while since we did this now, so I don’t remember all the nitty gritty details. What I do remember is that we had the same problem until we figured out that we had to publish a xrds document at http://example.com/openid in order for the discovery to work. Google will access this URL in the openid discovery process.

    There’s also something about a host-meta document that should be hosted on http://example.com/.well-known/host-meta, but I don’t remember if the latter is really neccessary.

    Checkout http://nith.no/openid and http://nith.no/.well-known/host-meta for an example on how we did it.

  • http://doctusoft.com Antal Kiss

    Hi there!
    We just face the same problem, we can’t implement the authorization process to the gmail feeds.

    @Thor
    Could you upload the code, how to implement the gmail feeds with the GApps accounts?
    thanks

  • http://www.bekk.no Thor Marius Henrichsen

    @Antal: The code for doing OAuth is shared on GitHub. Checkout http://github.com/thormarius/oo for the code and http://oo-demo.heroku.com/ for an example on a live app that implements OpenID+OAuth with GMail and calendar feed.

  • Denis Lutz

    Hey great Article, thx a lot!
     I am looking at the deployed app at heroku. I am working on a feature where I want to create calendar events, while I am analysing the code, may be you guys can answer me upfront if this is possible and if there are any samles of it somewhere that I could look at.
    I know that the gem calledn gcal4ruby is doint it but I dont know if it integrates with the OAuth protocol.
    Thx in advance.

    Th