ahn / vaadin-oauthpopup

OAuth Popup Add-on for Vaadin 7.1+
Apache License 2.0
9 stars 16 forks source link

Add support for Google OAuth2 #2

Open mstahv opened 10 years ago

mstahv commented 10 years ago

The add-on don't work out of the box (at least very stable) with Google OAuth2 (aka google plus authentication). The problem is that the response hook is dynamic (increasing number in the address).

My solution was just to make the response address static: https://github.com/mstahv/vaadin-oauthpopup/commit/b409b34624054c5357314944394f51ac24defde1

Don't know if it is a properly working generic solution, but works for me.

ahn commented 10 years ago

Yes, it seems Google requires the response address to be exactly as defined in the application settings, even for the query parameters.

Your static address solution works if there's only one oauth button in the application.

This addon uses the ?oauthpopupcallback=123 parameter to know for which button the response is. This doesn't work with Google+ and in general is not the best possible solution...

A proper OAuth2 standard solution would be to use a uri parameter named "state" in the authorization url, i.e. https://accounts.google.com/o/oauth2/auth?client_id=XXX&response_type=token&state=123 Now Google would add the same "state" parameter to the response url, i.e. redirect to https://mydomain.fi/oauth2callback?state=123

This would require some changes to this addon. There are also other things where this addon is not doing things properly for OAuth2, which may cause problems. Eg. different response_types. Hopefully I can implement/fix them at some point. I didn't know that much about OAuth when I created this addon... :)

mstahv commented 10 years ago

There is still practically only one per provider, a quick fix might be to derive it from the currently used provider?

bdunn44 commented 8 years ago

This has been fixed with pull request #11