4

I'm developping an application in android that provides information about different places. I've though of storing images of these places in picasa and retrieve them using the google apis, for this I created a new google account for the user holding the images.

The problem is when I start the oauth process for obtaining the token, I got a new web page asking for the username and password. As this is a technical user, all the end users will not know about the users and pwd.

Is there a way to send the username and password together with the other oauth values (client_id, secret_id, redirect_uri ,...?

Thank you

Luis
  • 41
  • 1
  • 2
  • which userid/password you are talking about? your user who will login to google or yours? – Umesh Awasthi Dec 04 '11 at 04:40
  • If you are creating the picasa account for each user behind the scene, why not able to login on behalf of him/her behind the scene? – B Faley Dec 04 '11 at 20:16

3 Answers3

3

Google Oauth authentication is a three legged process:

  1. Obtaining the Request Token
  2. Authorize that request token
  3. Exchange the authorized request token for an access token

Username and password is required at the second stage of this process where the user, by using his login credentials, authorize the client application to access its private data stored in the google server.

Now to the question that @Luis raised which is, is there a way to send the username and password together with the other oauth values? The answer is No. It is not possible to send the username and password in the Authorization header nor in the query parameter of the authorization URI. The reason being the user should always be made aware that the client (which is your application) is using the user's data. Hence the user is always redirected to the webpage where he/she is asked to provide the login credentials. This also allows the user to set restrictions with respect to access control on his private data, for the application.

If the application is allowed to store and send the user login credentials along with the Oauth Authorization headers, then the user will never know that the application is using its private data nor can it set any sort of restrictions for the application.

Hope this explanation helps.

Arun George
  • 18,352
  • 4
  • 28
  • 28
0

If you want to avoid showing the login dialog, you can try to get an OAuth token using the AccountManager. That will effectively do the same thing behind the scenes, using the saved username and password for the Google account. Naturally, the account needs to be registered on the device before that. Here is a brief description, you just need to find out the right scope for Picasa and pass it as the token type: http://developer.android.com/training/id-auth/authenticate.html

You can get an authentication token using an username and password with ClientLogin, but has already been deprecated, so it's not a good idea to use it in new projects.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
0

try to put your photos in public gallery in Picasa web albums, in this case there is no need of user account for accessing the photos.

user1105247
  • 11
  • 1