6

Question in short form: What is the cleanest way to implement Google Api OAuth2 authentication in Magento for the Admin area

Question in long form: All the new Google APIs are using OAuth2. The php client library is here and it abstracts the OAuth2 handling https://code.google.com/p/google-api-php-client/

The process is simple

  • Does user have an AccessToken?
  • No
  • Okay create a login url using client library
  • User clicks on login url link which takes them to Google to login
  • Once authenticated Google redirects back to Magento via the redirect url specified
  • Google sends back an AccessToken as part of url. Store it.
  • Make calls to the various APIs using this AccessToken

The examples in the client librarys are all flat files. So I'm looking for the best way to fit it into a MVC structure... or Magento to be precise.

Lets be specific. Its to retrieve Google Contacts. So far I have:

  • An admin controller called ContactsController with an index action. The very first thing it does is check if there is an access token. If there is no access token it forwards to an auth action.
  • The auth action simply renders a block which has the AuthUrl generated by the google php client library "createAuthUrl()"
  • On Clicking the link the google login page loads and I login
  • Google redirects back to the URL I have specified in the code (and the Google API Console https://code.google.com/apis/console). They also passes back the Access token. This URL must be predictable so it can't be an admin area url as these are dependent on a 'key' url parameter. Therefore I have created a frontend controller and action for Google to redirect back to.
  • In the frontend controller I store the AccessToken.
  • I then redirect back to the admin controller ContactsController index action. It sees an AccessToken and the application can actually do some stuff.

The problem I have is that I can't do that final redirect. Even though I am using the adminhtml helper getUrl method which does append the 'key' url parameter, when i redirect from frontend to backend I get kicked to the Dashboard.

Is there a better way to implement Googles OAuth2 in Magento?

How do you redirect to a direct Admin URL?

user2023210
  • 303
  • 2
  • 11
  • Just been doing some more tests. Admin redirects do work as expected, but not for custom modules. So for a standard admin page, like edit product, the following works in any controller action (frontend or backend) `$redirectUrl = Mage::helper("adminhtml")->getUrl("adminhtml/catalog_product/edit/", array('id'=>38)); $this->_redirectUrl($redirectUrl);` But a custom module route/controller/action admin url just kicks me to the dashboard. Very annoying `$redirectUrl = Mage::helper("adminhtml")->getUrl("mymodule_admin/adminhtml_contacts/index/"); $this->_redirectUrl($redirectUrl);` – user2023210 Jan 29 '13 at 22:45
  • were you able to complete the Google API OAuth2 <=> Magento Integration? Still doesn't look like there's much out there. – bluescrubbie Apr 28 '15 at 17:51
  • No. I just hacked something together using the Google APIs Client Library for PHP https://github.com/google/google-api-php-client. I use Google_Client::setScopes to access the APIs I need, set Google_Client::setAccessType to 'offline', Google_Client::setApprovalPrompt to 'force' and then use refresh tokens when the auth expires. Its not pretty but once I have completed sign in and approval ONCE, I then make repeated calls to the relevant API. See my answer below. This works for me because the APIs calls I'm using just run in background. I'm afraid you need to roll your sleeves up with OAuth2 – user2023210 Apr 30 '15 at 09:26

1 Answers1

2

The whole auth action which just renders a login link was pointless.

As soon as the adminhtml_contacts/index action realises that there is no access token it is able to use the Google_Client::createAuthUrl to work out where the user should be sent. So why bother putting this into an actual link? Instead I just immediately redirect them to the authUrl.

If the user is already logged into google then they don't need to do anything. Google sees they are logged in and immediately redirects back to my specified (and predictable) frontend controller action.

This frontend controller action stores the access token and I redirect back to adminhtml_contacts/index action. It still bums out because of the 'key' url parameter cross site request forgery protection problem specified above.

To get round this I turned off the secret key just for this action using a preDispatch hook in the admin controller.

public function preDispatch()
{ 
     if ($this->getRequest()->getActionName() == 'index') Mage::getSingleton('adminhtml/url')->turnOffSecretKey();
     parent::preDispatch();
}

Its not ideal but works and means I can actually start work on the api rather than mess around with authentication.

Now to get to grips with the Contacts API which has no client abstraction so I have to wade in deep into SimpleXml namespace issues and cumbersome DOMDocument manipulation. Hey ho.

user2023210
  • 303
  • 2
  • 11