Please refer to the AX_EMAIL and other AX parameters. Google OpenID will send a mail parameter back to your auth point.
http://code.google.com/apis/accounts/docs/OpenID.html Search the page for openid.ax.type.email There is a known vulnerability with Attribute eXchange that can be avoided with libraries like Step2 or integrated appengine login. I'm not sure what libraries you are using to perform auth, so be aware that non-google openID providers can easily spoof this to hack your app. Since you are doing a gmail gadget, so long as you do not allow users to enter any domain as openID provider, you should be ok... But if users can, in any way, provide an arbitrary domain to login with, you should use additional encryption options to ensure the AX email contains the same domain as the openID provider. http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html Also, note that gmail gadgets {or at least the gwt gmail gadgets I've built} use a proxy server for your requests, and it will have a new session id with each request. If you need to track authenticated session, you may want to use cookies or store an in-memory copy of the authed session key and send it along with every request. -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/2M6gKiLOw7MJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
