Using OAuth to authenticate a GoogleApps Calendar widget our web app (Using Google as a two legged OAuth client)

Question

I am currently investigating the feasibility of integrating a Google Apps calender with my application. One of my use cases involves adding a custom widget to the calendar. The user will use this widget to add special calendar events, the widget will then contact my application using oauth to trigger extra business processing.

• How do I securely connect to my application via OAuth from a Google widget?
• Does Google have any api/support for being an OAuth consumer?
• Or does Google-apps provide a service where I can safely store and access OAuth consumer key and secret at the domain level without individual users seeing the key?

I have looked at using a separate web app to host the consumer key and secret. But this just kicks the problem down the road. How do I ensure that the request to this app is from an authenticated Google-apps user on a specific domain? In this case I would have to use OpenId or similar.

• If so would I be better using OpenId for this use case and by pass OAuth completely?

(Note: I have already read as much Google OAuth documentation as I can find. Please don't link to more unless it specifically mentions using Google an OAuth Client or how to use Google to manage OAuth Client keys).

Answer 1

As far as I could gather this is not possible, as I have planned to do it.

This is because the widget is client only javascript and html. There is no where to store the persons identity, they would still have to log onto a server somewhere and the server would have to hold the persons identity and perform the oauth dance.

I am open to better answers if anyone has them, but I am nolonger actively looking at this.