Skip to content
Switch branches/tags
Go to file


Failed to load latest commit information.


The OAuthorizer addon provides a way for chrome code to use OAuth without needing any knowledge of the details of the OAuth protocol. The only knowledge required is the OAuth keys and endpoints for initiating the OAuth authorization process.

OAuthorizer provides the following functionality:

  • Discoverability via XRD if the OAuth provider supports it
  • Standard OAuth dialog that wraps the providers authentication and authorization pages
  • Chrome code can specify any OAuth provider, or use a set of built-in providers
  • Chrome code must provide any OAuth keys necessary for the provider
  • A generic mechanism to call any arbitrary OAuth wrapped api call
  • OAuth 1 and 2 are supported
  • built-in oauth endpoints for Yahoo, Google, Facebook, LinkedIn, Plaxo and Twitter


  • Hide tokens from code using OAuthorizer
  • Move stored tokens into a secure store (current stored in prefs)
  • Make callback uri's unecessary for general use (ie. provide default)
  • Make some api's available from web content
  • Flesh out discovery code
  • Consider whether any providers should be built-in, or if the list should be expanded
  • code cleanup, documentation, reviews

Example use

Initiating authorization


let provider = 'google'; // just a key name for storing/retrieving data
let [key, secret, params, completionURI] = [
    'xoauth_displayname': "Mozilla Authorizer",
    'scope': '' 
let svc = null;

function authorizationCallback(svcObj) {
    dump("*********FINISHED**********\naccess token: "+
         svc.token+"\n  secret: "+svc.tokenSecret+"\n");
    svc = svcObj;
let handler = OAuthConsumer.authorize(provider, key, secret, completionURI, authorizationCallback, params);

Making an api call

let message = {
    action: '',
    method: "GET",
    parameters: {'v':'2', "max-results":"2000"}

// req is an XMLHttpRequest object
// a more complete example is at
oauthCallback(req) {"Google Contacts API: " + req.status+" "+req.statusText);
    // you may need to handle a 401
    if (req.status == 401) {
        var headers = req.getAllResponseHeaders();
        if (req.statusText.indexOf('Token invalid') >= 0)
            // start over with authorization
            OAuthConsumer.resetAccess(, svc.consumerKey, svc.consumerSecret);
            // have to call OAuthConsumer.authorize
        else if (headers.indexOf("oauth_problem=\"token_expired\"") > 0)
        // some other error we don't handle
    // everything is good, process the response

// svc is retreived from the authorize callback above, message, oauthCallback);

Reset OAuth access

OAuthConsumer.resetAccess(provider, key, secret);

Using an OAuth provider that is not built into OAuthorizer

Adding a non-built-in OAuth provider requires a little more knowledge but not much. You must always do this once before any other calls into OAuthConsumer if you are accessing a non-built-in OAuth provider.

let providerName = 'yahoo';
let secret = "My Consumer Secret";
let key = "My Consumer Key";
let calls = {
      signatureMethod     : "HMAC-SHA1",
      requestTokenURL     : "",
      userAuthorizationURL: "",
      accessTokenURL      : ""
let myprovider = OAuthConsumer.makeProvider(providerName, 'Yahoo!',
                                            key, secret,
                                            completionURI, calls);
// XXX should be handled internally by makeProvider
OAuthConsumer._providers[providerName] = myprovider;

Configuring an OAuth provider via XRD

XXX Discovery is simplistic, probably doesn't work 100%.

OAuthConsumer.discoverProvider(xrdsURI, providerName, displayName,
                               consumerKey, consumerSecret, redirectURL)


Enable easy use of oauth for other addons




No packages published