Wednesday, April 01, 2009

Created "OAuth CrossDomain JavaScript Proxy Service"


OAuth CrossDomain JavaScript Proxy Service

Source Code:

What can be done by this service ?

It enables you to easily call out OAuth-protected APIs (3-legged) from any JavaScript client - only JavaScript. No serverside programs are required to write a client.

Writing a client is very easy - one simple asynchronous JavaScript method invokation make it enable to access OAuth protected resource. No cumbersome process implementation like passing security tokens, signing, and showing dialogs to ask user's agreement. This proxy service does these works.

This service is running on Google's App Engine platforrm.

Code Example:

Example Client : OAuth CrossDomain JavaScript Proxy

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
<title>Example Client : OAuth CrossDomain JavaScript Proxy</title>
<script type="text/javascript" src=""></script>
<script type="text/javascript" src=""></script>
<script type="text/javascript">
function startXdRequest() {
XdOAuth.init(''); // Initialization
url : '', // OAuth-protected API Endpoint
success : function(data) {
var result = eval('(' + data + ')');
var html = [];
for (var i=0; i<result.feed.entry.length; i++) {
var entry = result.feed.entry[i];
document.getElementById('result').innerHTML = html.join('');
error : function(res) {
alert(res.status + ':' + res.body);
<img src="./img/s.gif" />
<input type="button" onclick="startXdRequest()" value="Start OAuth Request to get private Google Calendar">
<ul id="result"></ul>

What's different from OpenSocial's OAuth Proxy?

It's similar on the point that it enables you to access OAuth APIs from JavaScript client, but this service doesn't require any OpenSocial container. It runs outside of gadget.

How many APIs now supporting ?

Almost all Google's OAuth-enabled GData APIs, Myspace, Twitter, and


It pop-ups the window during the request for prompting users to agree to access the data, so you should disble browser's popup blocker for ""

Known Limitation

Initialy only GET request is supported. In near future we'll add support of POST or other HTTP method.


You'll be prompted twice to allow intersite data exchange (OAuth Provider ->, -> The site which embedded JS client code). So it seems a little verbose for end users, but it is mondatory in order to avoid CSRF vulnerability.