Is it possible to make "redirect_url" NOT open in the browser window with Google OAuth2?

Question

I am writing an application that requires authentication using the OAuth2 Protocol. I have managed to use the Web Server App authentication mechanism and it's working quite well, the only problem is that I am handling the redirect_url within the program itself and I don't want the browser to make the request in a new tab.

If it were possible, the ideal solution would be that google server would send the request to me directly, or that it would open and close the browser tab/window.

Perhaps this approach is not the most appropriate, if so please let me know how to do this better.

Answer 1

Since you're already using non-portable xdg-open, you probably can use another external tool (xdotool) and emulate users keystrokes with it:

xdotool search --onlyvisible --class "Chrome" windowfocus key 'ctrl+w'

This will send ctrl+w (close tab) to visible chrome instance

Keep in mind there may be more than one browser window open.

Answer 2

Yes its possible I am actually doing just that in my .Net application using a web browser control. You have tagged this Google Oauth so I am assuming you are doing this with Googles auth servers. I suspect you are using one of Googles client libraries which are built to open it in a new browser window by default. The Google .Net client library for example is designed to do this.

The trick may require that instead of using a web credentials you use native or other type credentials which do not require a redirect URI. These credentials are normally used for installed applications but they can be used for web. It may be possible to do it with web credentials but I think its going to depend a little on what you are doing exactly.

Google Oauth2 flow:

The first step in the flow is creating the URL for the user to authenticate. This is a webpage there is nothing you can do to change that. So your application will need to be able to display a webpage to the user.

https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code  

by supplying urn:ietf:wg:oauth:2.0:oob you are basically telling the auth server to just return the code to where you sent it from.

The code is returned to you and you will need to swap it. This call is a HTTP POST.

https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code

response

{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}

Now you have a refresh toke and an access token. you can refresh your access token using another HTTP POst call.

https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token

Response

{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}

So as long as you can embed the auth URL into your application you can fetch it yourself. You don't need the redirect URI. my tutorial on google 3 legged oauth2

Answer 3

Fair warning, haven't used oAuth like this but I do have an idea:

Can't you just open the oauth request in a pop-up with window.open()?
Getting the parent of the popup is then as easy using window.opener.

After OAuth validation you could refresh the parent with: window.opener.location.reload();

You could then simply use window.close() to close the popup.

This way no new tabs will be opened and your application will remain the active tab.