Hey Dan, You are right with my assumption thinking that Google apps would have access to all the users Google data. My biggest problem with that style of authentication of OAuth is that it brings my user to a separate interface for logging in, and maybe even 'expire' every so often forcing the user to renew their credentials. I have not tested the OAuth integration in my application to validate those assumptions, so please correct me if I'm wrong.
I have noticed that some spreadsheet gadgets have simply been asking for a preauthenticated 'token' for authentication.. I will try this and let you know where I stand on that.. but that I think is explicit enough to give a user access to a certain spreadsheet. James On Jul 31, 4:11 pm, "Dan (Google)" <[email protected]> wrote: > Hi James, > > I agree that the messaging here is a bit odd, but it's a known issue > and we're looking to address it. I'll try and provide a bit of > background as to why it is the way it is. > > Let's say for instance, that you write a gadget that accesses data > from MySpace. The user logs into iGoogle, finds your gadget, and adds > it to his page. When the gadget loads, the gadget does the OAuth dance > to communicate with MySpace. I think we both agree that this is > reasonable, as installing a gadget shouldn't automatically expose all > of your MySpace data to others (including the gadget's author). > > Now, swap out MySpace data with Google data. The user goes through the > same process, logging in and adding your gadget. Would you expect that > your gadget implicitly has access to all of that user's data? Maybe > you would, since you have a legitimate use for it, and you're not a > malicious developer. But should every app? Should the explicit > contract of installing a gadget also include exposing all of your data > to the developer? > > In most cases, the answer is no. It's probably reasonable to only give > limited access to potentially private data, and only when explicitly > requested, which is what the OAuth dance is doing here. > > The remaining bit is the odd disclaimer message. Normally, that type > of message would say something along the lines of "Google is not > affiliated with someapp.com" when a third-party uses OAuth to connect > to data at Google. But, since these are gadgets, the domain actually > running the app is also google.com. Google clearly associates with > google.com, but not necessarily the gadgets running within iGoogle, > hence the slightly silly message. Getting a decent, and verifiable > value in place of google.com is actually a bit trickier than it might > seem, which is, again, something that we're looking to address. > > I hope this helps. > > Thanks, > Dan > > On Jul 30, 1:31 am, James McBryan <[email protected]> wrote: > > > I am trying to allow my Google Gadget use the Google Data API without > > requiring an additional login. (This is because the user is already > > logged into iGoogle, why make them login again if they have already > > been authenticated, pretty repetitve ay? ) > > > My approach is to use Oauth for authorization and when adding their > > sample app here athttp://code.google.com/apis/gadgets/docs/oauth.html > > I got the following message: > > > "Google is not affiliated withwww.google.com" > > > Why would google need to authenticate itself with google? Is there a > > different approach that is better than using oAuth? My goal is to not > > have the user login again when they are already logged in. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
