Table of Contents
- GWTOAuthLoginDemo is a web application written using GWT to demonstrate user Authorization using OAuth protocol used by third party providers (login with Facebook, Google, Twitter etc.). This Application uses Server side flow of OAuth using the Scribe library. The API is extended for some providers e.g. Google 2.0, Instagram, github.
- If you need to add third party login in your GWT application, I would like to think you can use this application as an example. I am releasing the code with the hope that you will find it useful. I am also interested in code review, finding security issues etc. if there are any.
- It also follows best practices on how to authenticate users from a GWT application.
NOTE: I am in the process of moving the project from google code
The app is available at Google App Engine:
- Latest version: https://gwtoauthlogindemo-latest.appspot.com/
- Development version: https://gwtoauthlogindemo-test.appspot.com/
Please download the latest source code (v1.73) from releases.
- More control. All the logic and processing are done in server side.
- OAuth artifacts (e.g. Access Token) can remain in the server side. Note: In this example, I bring them to client side explicitly via RPC to show them to you as an example.
Currently the supported OAuth Providers are:
- Facebook https://developers.facebook.com/
- Google https://console.developers.google.com/
- Twitter https://dev.twitter.com/
- Yahoo! https://developer.yahoo.com/oauth/
- Linkedin https://developer.linkedin.com/
- Instagram http://instagram.com/developer/
- Vimeo https://developer.vimeo.com/
- github https://developer.github.com/
- flickr https://www.flickr.com/services/developer/
- Microsoft Live Connect https://account.live.com/developers/applications/
- tumblr http://www.tumblr.com/developers/
- foursquare https://developer.foursquare.com/
It will be in the wiki section TODO
It will be in the wiki section TODO
In this flow when I use the word provider, it means an OAuth provider e.g. Facebook, Google etc. These are the brief description of the OAuth flow this application uses. Note: the scribe-java library does all the heavy lifting of talking to the OAuth Providers and getting the resources.
- Before using OAuth, you must register your application with the OAuth Provider. When you register the application, you specify the URL of your application (It is called Site URL, Callback URL, Redirect URL etc.). And the provider will give you Application ID and Application Secret. As the name indicates, the Application Secret should be kept secret.
- When the Login button for a provider is clicked, an GWT RPC call is made to the OAuthLoginService to get the Authorization URL for the provider.
- if the Authorization URL is received, the application redirects itself to the Authorization URL of the provider.
- The Provider verifies the Application ID and goes through the process of authenticating the user. In this step, you will see the provider will ask you to give permission to the application. If the user is authenticated, the provider redirects the application to the registered URL of the app. Note: this application does not ask access to any specific private resource, e.g. email. But it certainly can be asked if needed. In that case the provider will ask you to give access to the resource.
- The application intercepts the redirection and uses the parameters in the URL to make a GWT RPC call to the OAuthLoginService to verify the user. The OAuthLoginService talks to the provider to obtain something called *Access Token*. If the *Access Token* is received, the service uses the Access Token to access a protected URL of the user (for example, the public profile information). If the information is received, the user is authenticated. Note: in this step many other things happen, for example the service will verify the state (nonce) to protect against CSRF attack if the provider supports it. You have to look at the OAuthLoginService code for gory details.
When the Login link is clicked and if you are already logged in with an OAuth Provider (e.g. Facebook, Twitter etc.) you will not see the usual screens from the provider. Because the provider will provide the Access Token to our server and you will be verified with that information in the background, provided the Access Token has not expired yet.
When the Logout link is clicked, you will be logged out of this specific application, meaning the session of the application will be invalidated and the cookies will be removed. But you will still be logged in to the OAuth Provider. As OAuth is an authorization protocol (you get an Access Token to access certain protected resources), there is no way to Logout in a traditional sense. You will notice, if you Logout and Login again, your provider will give you the same Access Token if it has not expired yet.
The application includes all the jar files necessary in war/WEB-INF/lib directory. Here are the few ones that should be mentioned specifically.
|scribe-1.3.6||OAuth in Server Side|
|argo-3.2.jar||Pretty printing JSON|
|gwt-log-3.3.0.jar||Client side logging in debug mode|
Copyright (C) 2013-2014 Muhammad Muquit (http://www.muquit.com/) o Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. o Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. o Neither the name of the author MUHAMMAD MUQUIT (http://www.muquit.com/) nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.