13

I'm implementing a Google+ Sign-In for our web service, and stumbled on "Authorized JavaScript Origins". Our clients have web addresses either as a sub-domain of our main domain, or as a custom domain name. Since the login page is under that sub-domain (or custom domain), and in order to make the Google+ Sing-In button work, that custom domain/sub-domain should be (manually) entered in the "Authorized JavaScript Origins" list (with both http and https).

Does anybody know a way to do that automatically (through some API maybe)? If not, then how do you do it?

abraham
  • 46,583
  • 10
  • 100
  • 152
Ivaylo
  • 133
  • 1
  • 1
  • 5
  • 4
    Vote for the issue to be resolved by adding an API or wildcard support here: https://code.google.com/p/googleappengine/issues/detail?id=11796 – Derek Perkins Mar 17 '15 at 21:06
  • 1
    Quick question on top of this: Is there a maximum amount of "Authorized JavaScript Origins" you can enter? – bbird40 Jun 27 '17 at 17:05

3 Answers3

13

Not sure if there is an API for this. At first glance I don't see one. The alternative (aside from manually adding domains all the time) is to use a hidden iframe on each site - this iframe would come from your domain and would be the only thing that calls google services. The main sites would communicate with the iframe (postMessage) to tell it what to send google. This of course, opens up a security risk (anybody could load your iframe into their page and do bad things on your behalf) so you'll want to make sure that the iframe code refuses to do anything unless it's running within a page on a known-good domain.

Robert Levy
  • 28,747
  • 6
  • 62
  • 94
  • 1
    Thanks Robert. After several iterations, that's the only vital solution I can see - I'm using an iframe with the Google+ Sign-In button in it, and upon Google authentication, it stores a security token on the server, then issuing postMessage to the parent login page, which at that point checks for availability of the same security token, and if it finds it, then login the user. Security checks are also in place. So far looks good. – Ivaylo Jun 13 '14 at 21:22
  • This is actually the approach recommended by google https://developers.google.com/identity/gsi/web/amp/intermediate-iframe – squirtgun Aug 10 '22 at 15:14
7

You can also have a common URL which all subdomains point to when trying to log in with Google. Then have this URL redirect to your actual Google login path. Beats having to deal with an iframe this way.

Swaathi Kakarla
  • 2,227
  • 1
  • 19
  • 27
  • 2
    Can you please explain this? – Sachin HR Aug 28 '18 at 09:27
  • I'm using this method. oauth.example.com is the JavaScript Origin and oauth.example.com/redirect/google is the callback URL. The custom subdomains foo.example.com sends the user to e.g. oauth.example.com?d=foo to kickoff the oauth flow, and upon redirect they send the user back to foo.example.com. – Charlie Schliesser May 26 '23 at 14:27
5

Finally I made it to work, however there may be some fixes to apply.

So a server is host for many domain and subdomains (childs) which all of them needs google sign-in and there is a main domain (parent).

I implemented a general login page on parent which childs open this page via window.open() as popup. As client is in a popup, it is very likely that auth2 cannot open another popup, so the parent will do the google auth with {ux_mode: 'redirect'} parameter as gapi.auth2.SignInOptions.

Process will continue to your callback page which you provided as another gapi.auth2.SignInOptions parameter which is redirect_uri and is on parent.

On this page google may have provided you the golden id_token which you must authenticate this token on your server. And this was the main twist which you should use this information to create a token on your server which parent asked server to create, but send it to child on client side (for example via query parameter) to use it for later usage.

I will happily take any advice for security leaks or any comment which may ease the process just a little.

Rafe
  • 395
  • 1
  • 4
  • 15