0

I have an Appengine/GWT application, and implemented OAuth. It works, but I do now a redirect in the Oauth callback. This redirect does not give a smooth user experience, since the application reloads after login.

This is my callback code:

public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    String oauth_provider = req.getParameter("oauth_provider");
    String oauth_token = req.getParameter("oauth_token");
    String oauth_verifier = req.getParameter("oauth_verifier");
    String redirect = "http://www.exmaple.com";
    OAuthProvider oAuthProvider = OAuthProvider.valueOf(oauth_provider);
    String providerUserId = createUser(oAuthProvider, oauth_verifier, oauth_token); // which creates the user in my application if not yet existing
    redirect = redirect.concat("?oauth_provider=" + oAuthProvider.name() + "&user=" + providerUserId);
    resp.sendRedirect(redirect);
}

The client will then use he url parameters to get my the application user object.

Is there a better way to get back to the client, without a redirect?

peternees
  • 170
  • 1
  • 15
  • 1
    Yes theres a way. From client javascript google now has in their library a new popup mode that does not redirect. Instead it launches a popup window and the parent grabs the refresh token from a url fragment. Much smoother but only newer browsers support that popup mode. Id make it an answer but dont have the time to add the links to the docs from mobile :) – Zig Mandel Apr 07 '15 at 04:01
  • I would be grateful if you can provide the links when you are online.. :-) – peternees Apr 08 '15 at 20:27
  • Sorry i cant find it but start here and research the new "popup" mode. This shows auth in a popup instead of a new window which makes it easier to capture the token from the fragment in url redirected https://developers.google.com/identity/protocols/OAuth2UserAgent . I think the offcial docs for google+ signin button might explain better the popup thing – Zig Mandel Apr 08 '15 at 22:38
  • indeed; I should implement OAuth on the client to have a better user experience. Here is more documentation: http://stackoverflow.com/questions/3966856/how-do-i-use-oauth-within-my-gwt-application and http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt. However seems pretty complicated, and I cannot use scribe for it. – peternees Apr 10 '15 at 20:05
  • cant you skip gwt and do it directly with the javascript libraries? – Zig Mandel Apr 10 '15 at 20:32
  • I managed to do it server side: see my answer below. – peternees Apr 11 '15 at 09:55

1 Answers1

0

Small improvent: I found out that I can use sessions in appengine. This way, I can do the redirect, without needing to pass url parameters. This gives a smoother user experience. But it remains a redirect, and I wish I could catch that..

in appengine-web-app.xml, set

<sessions-enabled>true</sessions-enabled>

callback:

public class OAuthCallback extends HttpServlet  {
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String oauth_provider = req.getParameter("oauth_provider");
        String oauth_token = req.getParameter("oauth_token");
        String oauth_verifier = req.getParameter("oauth_verifier");
        OAuthProvider oAuthProvider = OAuthProvider.valueOf(oauth_provider);
        String providerUserId = createUser(oAuthProvider, oauth_verifier, oauth_token); // which creates the user in my application if not yet existing
        req.getSession().setAttribute("oauth_user", new MyUser(oAuthProvider, providerUserId));
        resp.sendRedirect("http://www.example.com");
    }
}

the redirect will then use the session attribute to identify the user:

User oauthUser = (MyUser) session.getAttribute("oauth_user");
peternees
  • 170
  • 1
  • 15