Can you use a chrome-extension:// URL to redirect to the extension's options page?
—Zachary “Gamer_Z.” Yaro On Sat, Apr 21, 2012 at 18:54, Yuri Z <vega...@gmail.com> wrote: > There's no easy way to use Data API from extension. The extension would > need to communicate with the server to acquire the OAuth token. > Google provides some javascript code that knows how to communicate with > google servers and acquire the token, but for non Google servers you would > need to implement it on your own. The current WIAB OAuth feature supports > only requests that provide the callback URL to redirect to after > authentication to pass the token. But the extensions cannot provide > callback. According to specification extensions (installed applications) > should send "oob" (out of band) instead - which current WIAB OAuth > mechanism can't handle. > If someone has more knowledge about OAuth authentication for Chrome > extensions using non Google services - I ll be glad to learn what should be > changed in WIAB to allow this. > > On Sun, Apr 22, 2012 at 1:05 AM, Zachary “Gamer_Z.” Yaro > <zmy...@gmail.com>wrote: > > > Not everyone uses the “remember me” feature, and those who do still must > > re-authenticate after some period of time for security reasons. As I > said > > before, Google recommended use of the Wave Data API, which bypasses this > > issue. > > > > —Zachary “Gamer_Z.” Yaro > > > > > > On Sat, Apr 21, 2012 at 17:13, Ali Lown <a...@lown.me.uk> wrote: > > > > > I was assuming that since Google's apps have the ability to remember > > > the login state across browser sessions (through the 'remember me' > > > feature) the notifier would be able to bypass full-authentication at > > > the start of every browser session, instead using the 'remember me' > > > credentials which don't need the login form to be displayed. > > > > > > On 21 April 2012 22:08, Zachary “Gamer_Z.” Yaro <zmy...@gmail.com> > > wrote: > > > > I am familiar with that extension, having forked it after the > original > > > > developer abandoned the project. It was created before the Gwave > data > > > API > > > > existed, so I am pretty sure it required the user to be logged in. I > > > think > > > > the “proper” way to create a wave notifier extension (and the way > > Google > > > > made its extension) is using the data API. > > > > > > > > —Zachary “Gamer_Z.” Yaro > > > > > > > > > > > > On Sat, Apr 21, 2012 at 17:03, Yuri Z <vega...@gmail.com> wrote: > > > > > > > >> Yep. Do you think it wasn't the case for Google Wave Notifier? > > > >> > > > >> On Sat, Apr 21, 2012 at 11:05 PM, Ali Lown <a...@lown.me.uk> wrote: > > > >> > > > >> > >> @Yuri: > > > >> > >> If we wanted to add the ability to 'remember me' for the logins > > > how do > > > >> > >> we want to ensure sessions aren't hijacked? The obvious way > would > > > be > > > >> > >> to use a cookie with some form of unique id in, but the unique > id > > > >> > >> shouldn't be related to the user-id otherwise it could be > > predicted > > > >> > >> and used to bypass authentication. > > > >> > >> > > > >> > >> I think the session is stored in the JSESSIONID cookie by > Jetty > > > and > > > >> > > notifier can access it even if the tab was closed since it has > > > access > > > >> to > > > >> > > cookies on the wiab domain that is defined in manifest.json of > > the > > > >> > chrome > > > >> > > extension. > > > >> > > > > >> > Yes, but this still relies on the user having logged in within the > > > >> > current browser session (closing and reopening the browser > > invalidates > > > >> > the session ATM). > > > >> > > > > >> > > > > > >
