<!DOCTYPE html><!-- This page is a placeholder for generated extensions api doc. Note:
1) The <head> information in this page is significant, should be uniform
across api docs and should be edited only with knowledge of the
templating mechanism.
3) All <body>.innerHTML is genereated as an rendering step. If viewed in a
browser, it will be re-generated from the template, json schema and
authored overview content.
4) The <body>.innerHTML is also generated by an offline step so that this
page may easily be indexed by search engines.
--><html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link href="css/ApiRefStyles.css" rel="stylesheet" type="text/css">
<link href="css/print.css" rel="stylesheet" type="text/css" media="print">
<script type="text/javascript" src="../../../third_party/jstemplate/jstemplate_compiled.js">
</script>
<script type="text/javascript" src="js/api_page_generator.js"></script>
<script type="text/javascript" src="js/bootstrap.js"></script>
<script type="text/javascript" src="js/sidebar.js"></script>
<title>Tutorial: OAuth - Google Chrome Extensions - Google Code</title></head>
<body> <div id="gc-container" class="labs">
<div id="devModeWarning">
You are viewing extension docs in chrome via the 'file:' scheme: are you expecting to see local changes when you refresh? You'll need run chrome with --allow-file-access-from-files.
</div>
<!-- SUBTEMPLATES: DO NOT MOVE FROM THIS LOCATION -->
<!-- In particular, sub-templates that recurse, must be used by allowing
jstemplate to make a copy of the template in this section which
are not operated on by way of the jsskip="true" -->
<div style="display:none">
<!-- VALUE -->
<div id="valueTemplate">
<dt>
<var>paramName</var>
<em>
<!-- TYPE -->
<div style="display:inline">
(
<span class="optional">optional</span>
<span class="enum">enumerated</span>
<span id="typeTemplate">
<span>
<a> Type</a>
</span>
<span>
<span>
array of <span><span></span></span>
</span>
<span>paramType</span>
<span></span>
</span>
</span>
)
</div>
</em>
</dt>
<dd class="todo">
Undocumented.
</dd>
<dd>
Description of this parameter from the json schema.
</dd>
<dd>
This parameter was added in version
<b><span></span></b>.
You must omit this parameter in earlier versions,
and you may omit it in any version. If you require this
parameter, the manifest key
<a href="manifest.html#minimum_chrome_version">minimum_chrome_version</a>
can ensure that your extension won't be run in an earlier browser version.
</dd>
<!-- OBJECT PROPERTIES -->
<dd>
<dl>
<div>
<div>
</div>
</div>
</dl>
</dd>
<!-- OBJECT METHODS -->
<dd>
<div></div>
</dd>
<!-- OBJECT EVENT FIELDS -->
<dd>
<div></div>
</dd>
<!-- FUNCTION PARAMETERS -->
<dd>
<div></div>
</dd>
</div> <!-- /VALUE -->
<div id="functionParametersTemplate">
<h5>Parameters</h5>
<dl>
<div>
<div>
</div>
</div>
</dl>
</div>
</div> <!-- /SUBTEMPLATES -->
<a id="top"></a>
<div id="skipto">
<a href="#gc-pagecontent">Skip to page content</a>
<a href="#gc-toc">Skip to main navigation</a>
</div>
<!-- API HEADER -->
<table id="header" width="100%" cellspacing="0" border="0">
<tbody><tr>
<td valign="middle"><a href="http://code.google.com/"><img src="images/code_labs_logo.gif" height="43" width="161" alt="Google Code Labs" style="border:0; margin:0;"></a></td>
<td valign="middle" width="100%" style="padding-left:0.6em;">
<form action="http://www.google.com/cse" id="cse" style="margin-top:0.5em">
<div id="gsc-search-box">
<input type="hidden" name="cx" value="002967670403910741006:61_cvzfqtno">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" value="" size="55">
<input class="gsc-search-button" type="submit" name="sa" value="Search">
<br>
<span class="greytext">e.g. "page action" or "tabs"</span>
</div>
</form>
<script type="text/javascript" src="http://www.google.com/jsapi"></script>
<script type="text/javascript">google.load("elements", "1", {packages: "transliteration"});</script>
<script type="text/javascript" src="http://www.google.com/coop/cse/t13n?form=cse&t13n_langs=en"></script>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse&lang=en"></script>
</td>
</tr>
</tbody></table>
<div id="codesiteContent" class="">
<a id="gc-topnav-anchor"></a>
<div id="gc-topnav">
<h1>Google Chrome Extensions (<a href="http://code.google.com/labs/">Labs</a>)</h1>
<ul id="home" class="gc-topnav-tabs">
<li id="home_link">
<a href="index.html" title="Google Chrome Extensions home page">Home</a>
</li>
<li id="docs_link">
<a href="docs.html" title="Official Google Chrome Extensions documentation">Docs</a>
</li>
<li id="faq_link">
<a href="faq.html" title="Answers to frequently asked questions about Google Chrome Extensions">FAQ</a>
</li>
<li id="samples_link">
<a href="samples.html" title="Sample extensions (with source code)">Samples</a>
</li>
<li id="group_link">
<a href="http://groups.google.com/a/chromium.org/group/chromium-extensions" title="Google Chrome Extensions developer forum">Group</a>
</li>
</ul>
</div> <!-- end gc-topnav -->
<div class="g-section g-tpl-170">
<!-- SIDENAV -->
<div class="g-unit g-first" id="gc-toc">
<ul>
<li><a href="getstarted.html">Getting Started</a></li>
<li><a href="overview.html">Overview</a></li>
<li><a href="whats_new.html">What's New?</a></li>
<li><h2><a href="devguide.html">Developer's Guide</a></h2>
<ul>
<li>Browser UI
<ul>
<li><a href="browserAction.html">Browser Actions</a></li>
<li><a href="contextMenus.html">Context Menus</a></li>
<li><a href="notifications.html">Desktop Notifications</a></li>
<li><a href="omnibox.html">Omnibox</a></li>
<li><a href="options.html">Options Pages</a></li>
<li><a href="override.html">Override Pages</a></li>
<li><a href="pageAction.html">Page Actions</a></li>
</ul>
</li>
<li>Browser Interaction
<ul>
<li><a href="bookmarks.html">Bookmarks</a></li>
<li><a href="cookies.html">Cookies</a></li>
<li><a href="events.html">Events</a></li>
<li><a href="history.html">History</a></li>
<li><a href="management.html">Management</a></li>
<li><a href="tabs.html">Tabs</a></li>
<li><a href="windows.html">Windows</a></li>
</ul>
</li>
<li>Implementation
<ul>
<li><a href="a11y.html">Accessibility</a></li>
<li><a href="background_pages.html">Background Pages</a></li>
<li><a href="content_scripts.html">Content Scripts</a></li>
<li><a href="xhr.html">Cross-Origin XHR</a></li>
<li><a href="idle.html">Idle</a></li>
<li><a href="i18n.html">Internationalization</a></li>
<li><a href="messaging.html">Message Passing</a></li>
<li><a href="npapi.html">NPAPI Plugins</a></li>
</ul>
</li>
<li>Finishing
<ul>
<li><a href="hosting.html">Hosting</a></li>
<li><a href="external_extensions.html">Other Deployment Options</a></li>
</ul>
</li>
</ul>
</li>
<li><h2><a href="apps.html">Packaged Apps</a></h2></li>
<li><h2><a href="tutorials.html">Tutorials</a></h2>
<ul>
<li><a href="tut_debugging.html">Debugging</a></li>
<li><a href="tut_analytics.html">Google Analytics</a></li>
<li class="leftNavSelected">OAuth</li>
</ul>
</li>
<li><h2>Reference</h2>
<ul>
<li>Formats
<ul>
<li><a href="manifest.html">Manifest Files</a></li>
<li><a href="match_patterns.html">Match Patterns</a></li>
</ul>
</li>
<li><a href="permission_warnings.html">Permission Warnings</a></li>
<li><a href="api_index.html">chrome.* APIs</a></li>
<li><a href="api_other.html">Other APIs</a></li>
</ul>
</li>
<li><h2><a href="samples.html">Samples</a></h2></li>
<div class="line"> </div>
<li><h2>More</h2>
<ul>
<li><a href="http://code.google.com/chrome/webstore/docs/index.html">Chrome Web Store</a></li>
<li><a href="http://code.google.com/chrome/apps/docs/developers_guide.html">Hosted Apps</a></li>
<li><a href="themes.html">Themes</a></li>
</ul>
</li>
</ul>
</div>
<script>
initToggles();
</script>
<div class="g-unit" id="gc-pagecontent">
<div id="pageTitle">
<h1 class="page_title">Tutorial: OAuth</h1>
</div>
<!-- TABLE OF CONTENTS -->
<div id="toc">
<h2>Contents</h2>
<ol>
<li>
<a href="#requirements">Requirements</a>
<ol>
<li style="display: none; ">
<a>h3Name</a>
</li>
</ol>
</li><li>
<a href="#getting-started">Getting started</a>
<ol>
<li style="display: none; ">
<a>h3Name</a>
</li>
</ol>
</li><li>
<a href="#oauth-dance">The OAuth dance in an extension</a>
<ol>
<li>
<a href="#set-code">Setup code</a>
</li><li>
<a href="#request-token">Fetching and authorizing a request token</a>
</li><li>
<a href="#signed-requests">Sending signed API requests</a>
</li>
</ol>
</li><li>
<a href="#sample-code">Sample code</a>
<ol>
<li style="display: none; ">
<a>h3Name</a>
</li>
</ol>
</li>
<li style="display: none; ">
<a href="#apiReference">API reference</a>
<ol>
<li>
<a href="#properties">Properties</a>
<ol>
<li>
<a href="#property-anchor">propertyName</a>
</li>
</ol>
</li>
<li>
<a>Methods</a>
<ol>
<li>
<a href="#method-anchor">methodName</a>
</li>
</ol>
</li>
<li>
<a>Events</a>
<ol>
<li>
<a href="#event-anchor">eventName</a>
</li>
</ol>
</li>
<li>
<a href="#types">Types</a>
<ol>
<li>
<a href="#id-anchor">id</a>
</li>
</ol>
</li>
</ol>
</li>
</ol>
</div>
<!-- /TABLE OF CONTENTS -->
<!-- Standard content lead-in for experimental API pages -->
<p id="classSummary" style="display: none; ">
For information on how to use experimental APIs, see the <a href="experimental.html">chrome.experimental.* APIs</a> page.
</p>
<!-- STATIC CONTENT PLACEHOLDER -->
<div id="static"><div id="pageData-name" class="pageData">Tutorial: OAuth</div>
<div id="pageData-showTOC" class="pageData">true</div>
<p>
<a href="http://oauth.net/">OAuth</a> is an open protocol that aims to standardize the way desktop and web applications access a user's private data. OAuth provides a mechanism for users to grant access to private data without sharing their private credentials (username/password). Many sites have started enabling APIs to use OAuth because of its security and standard set of libraries.
</p>
<p>
This tutorial will walk you through the necessary steps for creating a Google Chrome Extension that uses OAuth to access an API. It leverages a library that you can reuse in your extensions.
</p>
<p>
This tutorial uses the <a href="http://code.google.com/apis/documents/">Google Documents List Data API</a> as an example OAuth-enabled API endpoint.
</p>
<h2 id="requirements">Requirements</h2>
<p>
This tutorial expects that you have some experience writing extensions for Google Chrome and some familiarity with the <a href="http://code.google.com/apis/accounts/docs/OAuth.html">3-legged OAuth</a> flow. Although you don’t need a background in the <a href="http://code.google.com/apis/documents/">Google Documents List Data API</a> (or the other <a href="http://code.google.com/apis/gdata/">Google Data APIs</a> for that matter), having a understanding of the protocol may be helpful.
</p>
<h2 id="getting-started">Getting started</h2>
<p>
First, copy over the three library files from the Chromium source tree at <a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/oauth_contacts/">.../examples/extensions/oauth_contacts/</a>:
</p>
<ul>
<li><strong><a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/oauth_contacts/chrome_ex_oauth.html?revision=34725&content-type=text/plain">chrome_ex_oauth.html</a></strong> - interstitial page for the oauth_callback URL</li>
<li><strong><a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/oauth_contacts/chrome_ex_oauth.js?content-type=text/plain">chrome_ex_oauth.js</a></strong> - core OAuth library</li>
<li><strong><a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/oauth_contacts/chrome_ex_oauthsimple.js?content-type=text/plain">chrome_ex_oauthsimple.js</a></strong> - helpful wrapper for chrome_ex_oauth.js</li>
</ul>
<p>Place the three library files in the root of your extension directory (or wherever your JavaScript is stored). Then include both .js files in your background page in the following order:</p>
<pre><script type="text/javascript" src="chrome_ex_oauthsimple.js"></script>
<script type="text/javascript" src="chrome_ex_oauth.js"></script>
</pre>
<p>Your background page will manage the OAuth flow.</p>
<h2 id="oauth-dance">The OAuth dance in an extension</h2>
<p>
If you are familiar with the OAuth protocol, you'll recall that the OAuth dance consists of three steps:
</p>
<ol>
<li>fetching an initial request token</li>
<li>having the user authorize the request token</li>
<li>fetching an access token</li>
</ol>
<p>In the context of an extension, this flow gets a bit tricky. Namely, there is no established consumer key/secret between the service provider and the application. That is, there is no web application URL for the user to be redirected to after the approval process.
</p>
<p>
Luckily, Google and a few other companies have been working on an <a href="http://code.google.com/apis/accounts/docs/OAuthForInstalledApps.html">OAuth for installed applications</a> solution that you can use from an extension environment. In the installed applications OAuth dance, the consumer key/secret are ‘anonymous’/’anonymous’ and you provide an <em>application name</em> for the user to grant access to (instead of an application URL). The end result is the same: your background page requests the initial token, opens a new tab to the approval page, and finally makes the asynchronous call for the access token.
</p>
<h3 id="set-code">Setup code</h3>
<p>To initialize the library, create a <code>ChromeExOAuth</code> object in the background page:</p>
<pre>var oauth = ChromeExOAuth.initBackgroundPage({
'request_url': <OAuth request URL>,
'authorize_url': <OAuth authorize URL>,
'access_url': <OAuth access token URL>,
'consumer_key': <OAuth consumer key>,
'consumer_secret': <OAuth consumer secret>,
'scope': <scope of data access, not used by all OAuth providers>,
'app_name': <application name, not used by all OAuth providers>
});
</pre>
<p>In the case of the Documents List API and Google’s OAuth endpoints, a possible initialization may be:</p>
<pre>var oauth = ChromeExOAuth.initBackgroundPage({
'request_url': 'https://www.google.com/accounts/OAuthGetRequestToken',
'authorize_url': 'https://www.google.com/accounts/OAuthAuthorizeToken',
'access_url': 'https://www.google.com/accounts/OAuthGetAccessToken',
'consumer_key': 'anonymous',
'consumer_secret': 'anonymous',
'scope': 'https://docs.google.com/feeds/',
'app_name': 'My Google Docs Extension'
});
</pre>
<h3 id="request-token">Fetching and authorizing a request token</h3>
<p>
Once you have your background page set up, call the <code>authorize()</code> function to begin the OAuth dance and redirect the user to the OAuth provider. The client library abstracts most of this process, so all you need to do is pass a callback to the <code>authorize()</code> function, and a new tab will open and redirect the user.
</p>
<pre>oauth.authorize(function() {
// ... Ready to fetch private data ...
});
</pre>
<p>
You don't need to provide any additional logic for storing the token and secret, as this library already stores these values in the browser’s <code>localStorage</code>. If the library already has an access token stored for the current scope, then no tab will be opened. In either case, the callback will be called.
</p>
<h3 id="signed-requests">Sending signed API requests</h3>
<p>
Once your specified callback is executed, call the <code>sendSignedRequest()</code> function to send signed requests to your API endpoint(s). <code>sendSignedRequest()</code> takes three arguments: a URI, a callback function, and an optional parameter object. The callback is passed two arguments: the response text and the <code>XMLHttpRequest</code> object that was used to make the request.
</p>
<p>This example sends an HTTP <code>GET</code>:</p>
<pre>function callback(resp, xhr) {
// ... Process text response ...
};
function onAuthorized() {
var url = 'https://docs.google.com/feeds/default/private/full';
var request = {
'method': 'GET',
'parameters': {'alt': 'json'}
};
// Send: GET https://docs.google.com/feeds/default/private/full?alt=json
oauth.sendSignedRequest(url, callback, request);
};
oauth.authorize(onAuthorized);
</pre>
<p>A more complex example using an HTTP <code>POST</code> might look like this:</p>
<pre>function onAuthorized() {
var url = 'https://docs.google.com/feeds/default/private/full';
var request = {
'method': 'POST',
'headers': {
'GData-Version': '3.0',
'Content-Type': 'application/atom+xml'
},
'parameters': {
'alt': 'json'
},
'body': 'Data to send'
};
// Send: POST https://docs.google.com/feeds/default/private/full?alt=json
oauth.sendSignedRequest(url, callback, request);
};
</pre>
<p>
By default, the <code>sendSignedRequest()</code> function sends the <code>oauth_*</code> parameters in the URL (by calling <code>oauth.signURL()</code>). If you prefer to send the <code>oauth_*</code> parameters in the <code>Authorization</code> header (or need direct access to the generated header), use <code>getAuthorizationHeader()</code>. Its arguments are a URI, an HTTP method, and an optional object of URL query parameters as key/value pairs.
</p>
<p>Here is the example above using <code>getAuthorizationHeader()</code> and an <code>XMLHttpRequest</code> object:</p>
<pre>function stringify(parameters) {
var params = [];
for(var p in parameters) {
params.push(encodeURIComponent(p) + '=' +
encodeURIComponent(parameters[p]));
}
return params.join('&');
};
function onAuthorized() {
var method = 'POST';
var url = 'https://docs.google.com/feeds/default/private/full';
var params = {'alt': 'json'};
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(data) {
callback(xhr, data);
};
xhr.setRequestHeader('GData-Version', '3.0');
xhr.setRequestHeader('Content-Type', 'application/atom+xml');
xhr.setRequestHeader('Authorization', oauth.getAuthorizationHeader(url, method, params));
xhr.open(method, url + '?' + stringify(params), true);
xhr.send('Data to send');
};
</pre>
<h2 id="sample-code">Sample code</h2>
<p>
Sample extensions that use these techniques are available in the Chromium source tree:
</p>
<ul>
<li><a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/gdocs/">.../examples/extensions/gdocs/</a></li>
<li><a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/extensions/oauth_contacts/">.../examples/extensions/oauth_contacts/</a></li>
</ul>
</div>
<!-- API PAGE -->
<div class="apiPage" style="display: none; ">
<a name="apiReference"></a>
<h2>API reference: chrome.apiname </h2>
<!-- PROPERTIES -->
<div class="apiGroup">
<a name="properties"></a>
<h3 id="properties">Properties</h3>
<div>
<a></a>
<h4>getLastError</h4>
<div class="summary">
<!-- Note: intentionally longer 80 columns -->
<span>chrome.extension</span><span>lastError</span>
</div>
<div>
</div>
</div>
</div> <!-- /apiGroup -->
<!-- METHODS -->
<div id="methodsTemplate" class="apiGroup">
<a></a>
<h3>Methods</h3>
<!-- iterates over all functions -->
<div class="apiItem">
<a></a> <!-- method-anchor -->
<h4>method name</h4>
<div class="summary"><span>void</span>
<!-- Note: intentionally longer 80 columns -->
<span>chrome.module.methodName</span>(<span><span>, </span><span></span>
<var><span></span></var></span>)</div>
<div class="description">
<p class="todo">Undocumented.</p>
<p>
A description from the json schema def of the function goes here.
</p>
<!-- PARAMETERS -->
<h4>Parameters</h4>
<dl>
<div>
<div>
</div>
</div>
</dl>
<!-- RETURNS -->
<h4>Returns</h4>
<dl>
<div>
<div>
</div>
</div>
</dl>
<!-- CALLBACK -->
<div>
<div>
<h4>Callback function</h4>
<p>
The callback <em>parameter</em> should specify a function
that looks like this:
</p>
<p>
If you specify the <em>callback</em> parameter, it should
specify a function that looks like this:
</p>
<!-- Note: intentionally longer 80 columns -->
<pre>function(<span>Type param1, Type param2</span>) <span class="subdued">{...}</span>;</pre>
<dl>
<div>
<div>
</div>
</div>
</dl>
</div>
</div>
<!-- MIN_VERSION -->
<p>
This function was added in version <b><span></span></b>.
If you require this function, the manifest key
<a href="manifest.html#minimum_chrome_version">minimum_chrome_version</a>
can ensure that your extension won't be run in an earlier browser version.
</p>
</div> <!-- /description -->
</div> <!-- /apiItem -->
</div> <!-- /apiGroup -->
<!-- EVENTS -->
<div id="eventsTemplate" class="apiGroup">
<a></a>
<h3>Events</h3>
<!-- iterates over all events -->
<div class="apiItem">
<a></a>
<h4>event name</h4>
<div class="summary">
<!-- Note: intentionally longer 80 columns -->
<span class="subdued">chrome.bookmarks</span><span>onEvent</span><span class="subdued">.addListener</span>(function(<span>Type param1, Type param2</span>) <span class="subdued">{...}</span>);
</div>
<div class="description">
<p class="todo">Undocumented.</p>
<p>
A description from the json schema def of the event goes here.
</p>
<!-- PARAMETERS -->
<div>
<h4>Parameters</h4>
<dl>
<div>
<div>
</div>
</div>
</dl>
</div>
</div> <!-- /decription -->
</div> <!-- /apiItem -->
</div> <!-- /apiGroup -->
<!-- TYPES -->
<div class="apiGroup">
<a name="types"></a>
<h3 id="types">Types</h3>
<!-- iterates over all types -->
<div class="apiItem">
<a></a>
<h4>type name</h4>
<div>
</div>
</div> <!-- /apiItem -->
</div> <!-- /apiGroup -->
</div> <!-- /apiPage -->
</div> <!-- /gc-pagecontent -->
</div> <!-- /g-section -->
</div> <!-- /codesiteContent -->
<div id="gc-footer" --="">
<div class="text">
<p>
Except as otherwise <a href="http://code.google.com/policies.html#restrictions">noted</a>,
the content of this page is licensed under the <a rel="license" href="http://creativecommons.org/licenses/by/3.0/">Creative Commons
Attribution 3.0 License</a>, and code samples are licensed under the
<a rel="license" href="http://code.google.com/google_bsd_license.html">BSD License</a>.
</p>
<p>
©2011 Google
</p>
<!-- begin analytics -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script src="http://www.google-analytics.com/ga.js" type="text/javascript"></script>
<script type="text/javascript">
// chrome doc tracking
try {
var engdocs = _gat._getTracker("YT-10763712-2");
engdocs._trackPageview();
} catch(err) {}
// code.google.com site-wide tracking
try {
_uacct="UA-18071-1";
_uanchor=1;
_uff=0;
urchinTracker();
}
catch(e) {/* urchinTracker not available. */}
</script>
<!-- end analytics -->
</div>
</div> <!-- /gc-footer -->
</div> <!-- /gc-container -->
</body></html>