application that uses OAuth and javascript

Question

I am planning to create an app that uses JavaScript and it needs to use OAuth to authenticate user for a website. Can anyone help me out please? Any sample code? I know about the Google Code Javascript OAuth library but I am not sure how to implement that..

score 50 · Answer 1 · edited Nov 29 '19 at 15:20

50

There is a JS client implementation for OAuth here: https://developers.google.com/identity/protocols/OAuth2UserAgent

It contains example code to get you running. Basically, what you do is this:

var url = "...";
var accessor = {
  token: "...",
  tokenSecret: "...",
  consumerKey : "...",
  consumerSecret: "..."
};

var message = {
  action: url,
  method: "GET",
  parameters: {...}
};

OAuth.completeRequest(message, accessor);        
OAuth.SignatureMethod.sign(message, accessor);
url = url + '?' + OAuth.formEncode(message.parameters);

// send request to 'url'
...

Cheers, Matthias

edited Nov 29 '19 at 15:20

Yash Kumar Verma

8,530
2
14
28

answered Aug 17 '09 at 09:10

Matthias

41,630
28
100
129

41

I think tokenSecret and consumerSekret parameters are supposed to be secret! How could they remain secret when downloaded to browser?!!! – B Faley Feb 26 '10 at 20:04
1

By using SSL, for instance. But, yes, OAuth in a browser environment is certainly suspect to security problems. – Matthias Feb 28 '10 at 13:47
Is this for oAuth 1.0a or 2.0? – IsmailS Jun 09 '11 at 03:54
1

1.0(a). You make a good point though. If you have control over the service provider, too, I would suggest to opt for OAuth 2, since it simplifies many of the things that developers and protocol implementors struggle with. – Matthias Jun 09 '11 at 07:30
5

Even if you use SSL, what is difference? Man who made SSL request and saved response to hard drive can read everything easily. And for public applications anyone can make such request. It is completely insecure to use secret variables in JavaScript. – Vitalii May 23 '12 at 09:13
2

Why is it? Why is the 'secret' a secret from the user. It is no different from the session_id which is stored in a cookie. Just because it is named 'secret' does not make it a secret from everyone. – Mark Aug 07 '12 at 01:43
I'm a newbie. I managed to proceed with your answer. Could you please tell me how to send request to 'url'? I tried var xhr = new XMLHttpRequest();xhr.open("GET", url, true); xhr.send(); it gives me a DOM exception. – har Mar 10 '13 at 14:56
I'm able to get request token verifier from the library(http://oauth.googlecode.com/svn/code/javascript/), But got stuck in getting the access token.. can someone tell me where i'm doing it wrong? here is the code : http://stackoverflow.com/questions/19239807/how-to-get-the-access-token-using-oauth-js-client-library – Nachiketha Oct 08 '13 at 06:05
@Mark: The consumerSecret is supposed to be secret even from the user. Say site Alice.com uses OAuth service of Facebook. Now user Bob accesses site Alice.com via his Facebook credentials. Later on, attacker gets the consumerSecret from JS code, and impersonates site Alice.com. He knows Bob is registered there. He creates a fake site for Bob to open when logged on to Facebook. Now attacker gets access to all of Bob's personal details on Facebook. – Jus12 Oct 31 '13 at 05:22
@har for a GET request, you can simply do `document.location = url + '?' + OAuth.formEncode(message.parameters);` so you get the result in the web browser (I use moz-rewrite addon to remove the Content-Disposition response header so Firefox doesn't force the download and displays result with JSONView addon). You can also use AJAX if you don't want to display the result, see http://www.w3schools.com/ajax/ajax_xmlhttprequest_send.asp. And if you want to use a POST request and display result, you can create an HTML form with JavaScript, see http://stackoverflow.com/a/133997/1176454. – baptx Dec 09 '15 at 18:24
As of 13/5/2016 http://oauth.googlecode.com/svn/code/javascript/ is 404 - if you're using this, grab the code quickly – Malcolm Box May 13 '16 at 12:21
@MalcolmBox yes, here are the latest archived versions: https://web.archive.org/web/20160430213618/https://oauth.googlecode.com/svn/code/javascript/oauth.js https://web.archive.org/web/20160430213618/http://oauth.googlecode.com/svn/code/javascript/sha1.js I made an example to use Twitter API 1.1 in the browser: https://gist.github.com/baptx/ffb268758cd4731784e3 It is possible to backup favorites, following and followers: https://gist.github.com/baptx/1525f338d93fa01db4e0 – baptx May 25 '18 at 17:31

score 11 · Answer 2 · answered Jul 22 '11 at 00:41

11

The mentioned security problems can be solved via YQL: http://derek.io/blog/2010/how-to-secure-oauth-in-javascript/

answered Jul 22 '11 at 00:41

thSoft

19,314
5
82
97

1

At least to some extent. But then you rely on someone else's backend technology instead of your own or none - which was the original goal. – WrongAboutMostThings Jul 02 '12 at 15:06

score 3 · Answer 3 · answered Aug 23 '12 at 20:34

3

I've written a generic OAuth 2.0 javascript library.

JSO Javascript OAuth 2.0 Library

answered Aug 23 '12 at 20:34

Andreas Åkre Solberg

1,587
11
11

can you post an example of how to authenticate to a custom Google App Engine application? I have been struggling with this for 2 days now. Your library doesn't seem to support the 3 callback urls, `OAuthGetRequestToken`, `OAuthAuthorizeToken` and 'OAuthGetAccessToken`? – May 19 '13 at 04:27

score 0 · Answer 4 · answered May 20 '12 at 14:25

0

If you're writing a Firefox (or other Mozilla) addon, consider oauthorizer. I'm using this for the latest version of goo.gl lite. However, I did hit some issues getting this approved for the Mozilla Add-Ons site, which I'm currently working through.

answered May 20 '12 at 14:25

Matthew Flaschen

255,933
45
489
528

application that uses OAuth and javascript

4 Answers4

Linked