Skip to content
Ruby code implementing the Google Authentication for Web Applications API (AuthSub)
Find file
New pull request
Pull request Compare This branch is even with stuart:master.
Fetching latest commit...
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
live test



NOTE: This is still in very alpha stages of development. 
It passes all the mocked specs but has no live testing specs yet. 


The GoogleAuthSub class handles interaction with Google via the 
Account Authentication API (AuthSub). This is for web applications to get data from 
Google with the user signing in.

For details on the Account Authentication API refer to:

The Google Group can provide some help also:

The OAuth protocol has taken over much of the role of Authsub. 
Oauth does not provide access to non registered apps as Authsub does.

    For testing you will need the rspec and fake_web gems
To use:

Non-signed access, single request.
    1. Create your GoogleAuthSub object.
            auth = => "", 
                    :scope_url => "")
    2. Redirect the user to the Google sign in page. request_url gives us the correct url to go to.
            In rails: 
                redirect_to auth.request_url

    3. Once the user has successfully logged in they will then be redirected back to the url specified
        as the :next_url in step 1. In the handler for this the token needs to be extracted.
        To do this call: 
        or in rails just do: 
    4. Now everything should be set to make a single request with:
        auth.get(url),, auth.put(url) or auth.delete(url)
       The url will automagically have the :scope_url prepended to it if not included. 
       These calls return a Net::HTTPResponse object
     Once a request has been made the token will no longer be valid and you will have to start from step 2 in 
     order to make another request.
Non-signed access with session token.
    1. Create your GoogleAuthSub object with :session => true.
         auth = => "", 
            :scope_url => "", 
            :session => true)
    2,3 as per previous example
    4. Exchange the single use token for a session token.
        NOTE: this has changed from the previous version, which was confusingly named session_token.
    5. Make requests with auth.get and auth.put.
Secure access with session token.
    0. Call GoogleAuthSub.set_private_key(key)
        key can be a certificate file, string or OpenSSL::Pkey::RSA object.
        This should be the key that the site has registered with Goggle.
        For details on the registration process see:
    1. Create your GoogleAuthSub object with :session => true.
        auth = => "", 
            :scope_url => "", 
            :session => true, :secure=>true)
    2,3,4,5 as per previous examples
    The private key is stored as a class variable so there is one instance per app.

Tokens can be revoked with:

Token information can be received from Google with:
    This returns a hash with the keys: :target, :scope and :secure
    Live tests. Currently getting errors with encrypted tokens.
    Storage of session tokens: ActiveRecord
    Encryption of tokens.
    Session token revocation
    Rails plugin
Contact the author via

Copyright (c) 2008-2009 Stuart Coyle, released under the MIT license
Something went wrong with that request. Please try again.