Demonstrates how to use OAuth protocol from a GWT application
Java Ruby CSS Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
doc
log4j
private
scripts
src
war
.classpath
.gitignore
.project
COPYRIGHT.txt
ChangeLog.mediawiki
README.mediawiki
README.txt
build.xml
git_push.sh
killgwtdevmode.rb

README.mediawiki

Table of Contents

What is it?

  • GWTOAuthLoginDemo is a web application written using GWT to demonstrate user Authorization using OAuth protocol used by third party providers (login with Facebook, Google, Twitter etc.). This Application uses Server side flow of OAuth using the Scribe library. The API is extended for some providers e.g. Google 2.0, Instagram, github.
  • If you need to add third party login in your GWT application, I would like to think you can use this application as an example. I am releasing the code with the hope that you will find it useful. I am also interested in code review, finding security issues etc. if there are any.
  • It also follows best practices on how to authenticate users from a GWT application.
If you have any question, request or suggestion, please enter it in the Issues with appropriate label.

NOTE: I am in the process of moving the project from google code

Demo

The app is available at Google App Engine:

Source

Please download the latest source code (v1.73) from releases.

Updated: Jul-13-2014

Screenshot

Image:https://raw.githubusercontent.com/wiki/muquit/gwtoauthlogindemo/images/login_screen.png

Why Prefer Server Side flow of OAuth?

  • More control. All the logic and processing are done in server side.
  • Secure. The request can be signed with your App Secret. No JavaScript, no popup window, no logic in client side.
  • OAuth artifacts (e.g. Access Token) can remain in the server side. Note: In this example, I bring them to client side explicitly via RPC to show them to you as an example.

Supported OAuth Providers

Currently the supported OAuth Providers are:

This application uses scribe-java in Server Side. The library is very easy to use and extend. Please look at server/OAuth/ directory for extended code for various providers.

Eclipse Setup

It will be in the wiki section TODO

How to run in your own machine

It will be in the wiki section TODO

Application Flow

In this flow when I use the word provider, it means an OAuth provider e.g. Facebook, Google etc. These are the brief description of the OAuth flow this application uses. Note: the scribe-java library does all the heavy lifting of talking to the OAuth Providers and getting the resources.

  • Before using OAuth, you must register your application with the OAuth Provider. When you register the application, you specify the URL of your application (It is called Site URL, Callback URL, Redirect URL etc.). And the provider will give you Application ID and Application Secret. As the name indicates, the Application Secret should be kept secret.
  • When the Login button for a provider is clicked, an GWT RPC call is made to the OAuthLoginService to get the Authorization URL for the provider.
  • if the Authorization URL is received, the application redirects itself to the Authorization URL of the provider.
  • The Provider verifies the Application ID and goes through the process of authenticating the user. In this step, you will see the provider will ask you to give permission to the application. If the user is authenticated, the provider redirects the application to the registered URL of the app. Note: this application does not ask access to any specific private resource, e.g. email. But it certainly can be asked if needed. In that case the provider will ask you to give access to the resource.
  • The application intercepts the redirection and uses the parameters in the URL to make a GWT RPC call to the OAuthLoginService to verify the user. The OAuthLoginService talks to the provider to obtain something called *Access Token*. If the *Access Token* is received, the service uses the Access Token to access a protected URL of the user (for example, the public profile information). If the information is received, the user is authenticated. Note: in this step many other things happen, for example the service will verify the state (nonce) to protect against CSRF attack if the provider supports it. You have to look at the OAuthLoginService code for gory details.

Login

When the Login link is clicked and if you are already logged in with an OAuth Provider (e.g. Facebook, Twitter etc.) you will not see the usual screens from the provider. Because the provider will provide the Access Token to our server and you will be verified with that information in the background, provided the Access Token has not expired yet.

Logout

When the Logout link is clicked, you will be logged out of this specific application, meaning the session of the application will be invalidated and the cookies will be removed. But you will still be logged in to the OAuth Provider. As OAuth is an authorization protocol (you get an Access Token to access certain protected resources), there is no way to Logout in a traditional sense. You will notice, if you Logout and Login again, your provider will give you the same Access Token if it has not expired yet.

External libraries used

The application includes all the jar files necessary in war/WEB-INF/lib directory. Here are the few ones that should be mentioned specifically.

Name Description
scribe-1.3.6 OAuth in Server Side
json-simple-1.1.1.jar Parsing JSON
argo-3.2.jar Pretty printing JSON
gwt-log-3.3.0.jar Client side logging in debug mode

License

Copyright (C) 2013-2014  Muhammad Muquit (http://www.muquit.com/)

 o Redistributions of source code must retain the above copyright notice, 
this list of conditions and the following disclaimer.

 o Redistributions in binary form must reproduce the above copyright notice, 
this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution.

 o Neither the name of the author MUHAMMAD MUQUIT (http://www.muquit.com/)
nor the names of its contributors may be used to endorse or promote 
products derived from this software without specific prior written 
permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE.