Some guidelines on integrating Google's OAuth with my application

Question

This is a very high level question, to a high level answer too, so I'm just looking for some pointers on the right direction.

Let's say I want to build a web application to manage a user's Google Contacts. I understand this is done by allowing the user to log in with his Google Account while asking for permissions to manage his Google Contacts. So far so good.

Now I want to expose my own API layer for external browser extensions, Android clients, etc. But while I want the API clients to authenticate against Google, I don't want the applications to have full access to the user's Calendar, as the Secret Token is stored on the server.

So, how is this typically handled? I would like to do it by the book as much as possible, without having to implement a lot of security code.

Btw, while the question is too high level, feel free to point me to technical docs.

Thanks

Answer 1

Limited access to the user's resources can only be guaranteed by limited OAuth scopes:

https://developers.google.com/gdata/docs/auth/oauth#Scope

Some APIs, for instance the Contacts API, only provide a single scope which gives you access to all the data. In cases like this, the user can only choose between giving you access to all his contacts or none of them.

Other APIs expose different OAuth scopes, allowing the developers to only request access to a subset of the user's data. A good example of this is the Google Drive API, which has 5 different scopes for the developer to choose from:

https://developers.google.com/drive/scopes