There's no easy way to use Data API from extension. The extension would need to communicate with the server to acquire the OAuth token. Google provides some javascript code that knows how to communicate with google servers and acquire the token, but for non Google servers you would need to implement it on your own. The current WIAB OAuth feature supports only requests that provide the callback URL to redirect to after authentication to pass the token. But the extensions cannot provide callback. According to specification extensions (installed applications) should send "oob" (out of band) instead - which current WIAB OAuth mechanism can't handle. If someone has more knowledge about OAuth authentication for Chrome extensions using non Google services - I ll be glad to learn what should be changed in WIAB to allow this.
On Sun, Apr 22, 2012 at 1:05 AM, Zachary “Gamer_Z.” Yaro <zmy...@gmail.com>wrote: > Not everyone uses the “remember me” feature, and those who do still must > re-authenticate after some period of time for security reasons. As I said > before, Google recommended use of the Wave Data API, which bypasses this > issue. > > —Zachary “Gamer_Z.” Yaro > > > On Sat, Apr 21, 2012 at 17:13, Ali Lown <a...@lown.me.uk> wrote: > > > I was assuming that since Google's apps have the ability to remember > > the login state across browser sessions (through the 'remember me' > > feature) the notifier would be able to bypass full-authentication at > > the start of every browser session, instead using the 'remember me' > > credentials which don't need the login form to be displayed. > > > > On 21 April 2012 22:08, Zachary “Gamer_Z.” Yaro <zmy...@gmail.com> > wrote: > > > I am familiar with that extension, having forked it after the original > > > developer abandoned the project. It was created before the Gwave data > > API > > > existed, so I am pretty sure it required the user to be logged in. I > > think > > > the “proper” way to create a wave notifier extension (and the way > Google > > > made its extension) is using the data API. > > > > > > —Zachary “Gamer_Z.” Yaro > > > > > > > > > On Sat, Apr 21, 2012 at 17:03, Yuri Z <vega...@gmail.com> wrote: > > > > > >> Yep. Do you think it wasn't the case for Google Wave Notifier? > > >> > > >> On Sat, Apr 21, 2012 at 11:05 PM, Ali Lown <a...@lown.me.uk> wrote: > > >> > > >> > >> @Yuri: > > >> > >> If we wanted to add the ability to 'remember me' for the logins > > how do > > >> > >> we want to ensure sessions aren't hijacked? The obvious way would > > be > > >> > >> to use a cookie with some form of unique id in, but the unique id > > >> > >> shouldn't be related to the user-id otherwise it could be > predicted > > >> > >> and used to bypass authentication. > > >> > >> > > >> > >> I think the session is stored in the JSESSIONID cookie by Jetty > > and > > >> > > notifier can access it even if the tab was closed since it has > > access > > >> to > > >> > > cookies on the wiab domain that is defined in manifest.json of > the > > >> > chrome > > >> > > extension. > > >> > > > >> > Yes, but this still relies on the user having logged in within the > > >> > current browser session (closing and reopening the browser > invalidates > > >> > the session ATM). > > >> > > > >> > > >
