I am developing an application which is like google calendar, users input their google account to login, and synch from their google task.
Is this possible without using OAuth2?
How to avoid OAuth2, use username and password to get google task resource
393 Views Asked by user1758063 At
2
There are 2 best solutions below
0
On
Using OAuth Resource Owner Password Credential flow you can "hide" the OAuth flow from the user, but only if you are managing your users' usernames/passwords (they would have to be supplied as part of the access token request). Unfortunately Google doesn't seem to support this type of authentication flow, I've been battling with it for a few days but seems like there is lack of support on their back-end. Here's is (non-functional) example Google API provides for Java:
static void requestAccessToken() throws IOException {
try {
ResourceOwnerPasswordCredentialsGrant request =
new ResourceOwnerPasswordCredentialsGrant(new NetHttpTransport(),
new JacksonFactory(),
"https://server.example.com/authorize",
"s6BhdRkqt3",
"gX1fBat3bV",
"johndoe",
"A3ddj3w");
AccessTokenResponse response = request.execute();
System.out.println("Access token: " + response.accessToken);
} catch (HttpResponseException e) {
AccessTokenErrorResponse response = e.response.parseAs(AccessTokenErrorResponse.class);
System.out.println("Error: " + response.error);
}
}
If you can get this thing to run, please let me know.
The fact that OAuth is promoted is because it offers protection for Google users. Imagine if Google had a simple username/password API. If you were the creator of a malicious site, and you allowed a user to enter their credentials on your site, you could store the credentials, then perform operations for the user without their consent.
You should really consider just going through their OAuth2 system.
If you really want to bypass this (and please don't), you could resort to issuing HTTP requests that mimic what would happen if the user was entering their username and password directly, then use screen scraping to extract data. Obviously, this is a brittle approach, and with Google's recently-introduced two-factor authentication, that won't work for users who opted in to that.