Hi Bess, I'm glad that you find the explanation clear! I certainly hope that it helps developers plan their integrations. We are very enthusiastic about potential mobile device integrations, and certainly look to work with the developer community to streamline how it works. We really appreciate your ideas and feedback, and certainly hope that the dialog continues!
Those are great points about the UX concerns about collecting OAuth tokens from a callback. I agree that copying the token isn't an ideal workflow. If your're curious, there's an example of what an "oob" page looks like at next location. http://code.google.com/apis/accounts/images/OauthUX_nocallback.png There is a recently released example Android app that collects the tokens from a bogus callback page. It unfortunately can't be used yet to integrate with Health, since Health currently doesn't support anonymous OAuth; however, it certainly could be helpful for other integrations. http://gdata-java-client.googlecode.com/svn/tags/2.2.1-alpha/sample/buzz/buzz-json-android-sample/instructions.html The following Android app uses the same strategy for collecting OAuth tokens, and also includes code that uses the Android 2.x AccountManager to retrieve a ClientLogin token, without requiring the user to enter login credentials into the app. This approach will work with Health; however, it doesn't allow for data attribution. I'm working with this application now to produce an Android+Health example app. http://gdata-java-client.googlecode.com/svn/tags/2.2.1-alpha/sample/picasa/picasa-atom-android-sample/instructions.html And finally... there dose seem to be some discussion about OAuth for devices without embedded browsers. It looks like the idea is still formative, however. http://sites.google.com/site/oauthgoog/UXFedLogin/nobrowser/input-capable-devices Thanks again for your ideas and feedback! Kind regards, Paul On Jul 29, 2:53 pm, Bess Ho <[email protected]> wrote: > Thanks Paul. > > This is the best explanation on Google Health API OAuth on Android I have > ever read/hear in the last 3 years. > > I have done my own investigation & research. Two methods you described align > with other 3rd party recommendation on OAuth 1.0a integration in other > platforms. The complexity here is anonymous OAuth currently isn't supported > by Google Health. > > Both methods involved in some UXP issues. First method requires consumers to > know how to copy & paste the oauth_token and oauth_verfier. I was told that > those are very long strings. How many consumers would want to take this step > and go back to the app to verify before using it? How do you educate > consumers to do this extra step? > > Second method requires pure hacking. I was told to use some sort of timer to > keep checking the status. Honestly I don't know the best practice to make > this work well. I believe there got to be something better if someone > provides a better OAuth native lib to do some heavy duty work and do it > right. > > So releasing a well documented example on Health/mobile integration will be > very important for this developer group. Please continue your effort! > > Thanks so much! > > Bess > > > > > > On Thu, Jul 29, 2010 at 11:12 AM, Paul (Google) <[email protected]> wrote: > > Hi Bess, > > > There have been other users that mentioned that their OAuth libraries > > have difficulties with OAuth 1.0. The differences between the two > > versions are somewhat minor, however. Besides when the callback is > > sent, the other difference between OAuth 1.0 and 1.0a that I forgot to > > mention is the oauth_verifier, which is returned in the callback and > > re-sent to get the access token. Google's OAuth documents are for > > OAuth 1.0a, so developers will need to be aware of these two > > differences when integrating with Health. > > > There are two difficulties with using OAuth and mobile devices. The > > first are domain credentials (private keys), which shouldn't be stored > > on mobile devices. Anonymous OAuth works without domain credentials; > > however, anonymous OAuth currently isn't supported by Health yet since > > it doesn't allow for data attribution. With anonymous OAuth, the > > other issue is the second leg of the OAuth dance, where an OAuth > > service uses a URL sent from the client to return the request token > > and verifier. There are two options to deal with this that I know of > > (maybe more with OAuth WRAP or v2.0). The first is to use an "out of > > band" (oob) callback, which will display the oauth_token and > > oauth_verfier in a web page and ask a user to copy and paste them. > > The other is to use a bogus callback URL and have the embedded browser > > grab the OAuth request parameters before it tries to render the page. > > > We are working to release example code to make Health/mobile > > integration easier, and will definitely keep the community informed of > > any advances! > > > Cheers! > > Paul > > > On Jul 28, 11:38 pm, Bess Ho <[email protected]> wrote: > > > Thanks Paul. This may explain how Android couldn't use Google OAuth for > > > Google Health until Google Health OAuth is upgraded to OAuth 1.0a and > > able > > > to use 3rd party OAuth Java lib that is on 1.0a. > > > > On Wed, Jul 28, 2010 at 7:38 PM, Paul (Google) <[email protected]> wrote: > > > > Hi Hari, > > > > > You use the same feeds when you authenticate with OAuth and AuthSub. > > > > The only difference is what you put in the "Authorization" header. > > > > > Bess: You're correct; AuthSub is initially easier to work with, and > > > > can be helpful for getting up to speed with Google's authorization > > > > services. For OAuth, Health currently supports OAuth 1.0, but not > > > > 1.0a, which means that the oauth_callback is sent in the second leg > > > > (1.0), not the first (1.0a). Also, Health requires RSA-SHA1 signing, > > > > so a client must have a verified X.509 certificate registered with > > > > Google. > > > > > I hope these tips help! Definitely let us know how it goes, Hari! > > > > > Paul > > > > > On Jul 21, 2:29 am, Bess Ho <[email protected]> wrote: > > > > > Hari, > > > > > > This is what I know but I am not sure this is more updated. Authsub > > is > > > > the > > > > > most comprehensive method for GH. GH support on OAuth is "?". I refer > > to > > > > the > > > > > degree of supporting everything. I heard GH support OAuth 1.0a but > > not > > > > OAuth > > > > > 2.0 yet. > > > > > > I would suggest you to try Authsub first. Once you get good results, > > then > > > > > try OAuth. > > > > > > On Tue, Jul 20, 2010 at 9:21 PM, Hari <[email protected]> wrote: > > > > > > Hi paul, > > > > > > > Thanks for your kind reply. > > > > > > > Given links are tells about authSub Feeds right?, but I am > > expecting > > > > > > oauth feeds for accessing (google health)CCR xml file. i have > > little > > > > > > confused, Is this feeds are common for both authsub and oauth? > > could > > > > > > you please clear me and give a sample code for access google health > > > > > > ccr file... > > > > > > > Thanks in advance > > > > > > > On Jul 20, 11:57 pm, "Paul (Google)" <[email protected]> wrote: > > > > > > > Hello Hari, > > > > > > > > The error indicates that the scope you're using to retrieve the > > OAuth > > > > > > > request token is too broad. You can find the correct scope and > > > > > > > service name in the table at the following location: > > >http://code.google.com/apis/health/getting_started.html#Differences > > > > > > > > For the available Health feeds, you might want to look at: > > > > > > > >http://code.google.com/apis/health/docs/2.0/reference.html#Feeds > > > > > > > > Cheers! > > > > > > > > Paul (Google) > > > > > > > > On Jul 20, 5:15 am, Hari <[email protected]> wrote: > > > > > > > > > Dear Friends, > > > > > > > > > Today only we are register our domain in google. if i try to > > > > access > > > > > > > > user's CCR file from google through oauth, i got below Error > > > > > > > > > " > > > > > > > > We're sorry, an error has occurred. Please see the Google > > > > Health > > > > > > > > Help Center for assistance. > > > > > > > > > Sharing denied: Scope is too broad, please restrict > > > > > > towww.google.com/health/feedsornarrower. " > > > > > > > > > any body please give me a solution for this, and i got a sample > > > > code > > > > > > > > for access 1.Blogger, 2. Calendar, 3. Contacts, 4. Finance, 5. > > > > Picasa. > > > > > > > > These are working fine, but google health is not working, could > > you > > > > > > > > please > > > > > > > > any body tell me, What is the GoogleHealthService's scope, > > feedUrl > > > > and > > > > > > > > googleServiceName ??? > > > > > > > > > Thanks in advance > > > > > > > -- > > > > > > You received this message because you are subscribed to the Google > > > > Groups > > > > > > "Google Health Developers" group. > > > > > > To post to this group, send email to > > > > > > [email protected]. > > > > > > To unsubscribe from this group, send email to > > > > > > [email protected]<googlehealthdevelopers% > > > > > > [email protected]><googlehealthdevelopers% > > [email protected]><googlehealthdevelopers% > > > > [email protected]> > > > > > > . > > > > > > For more options, visit this group at > > > > > >http://groups.google.com/group/googlehealthdevelopers?hl=en. > > > > > > -- > > > > > Bess Ho > > > > > UI Architect / Developer / Designer > > > > > iPhone Developer > > > > > Silicon Valley Web Builder (SVWB) Founder > > > > > > The information transmitted is intended only for the person or entity > > to > > > > > which it is addressed and may contain CONFIDENTIAL material. If you > > > > receive > > > > > this material/information in error, please contact the sender and > > delete > > > > or > > > > > destroy the material/information. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups > > > > "Google Health Developers" group. > > > > To post to this group, send email to > > > > [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]<googlehealthdevelopers% > > > > [email protected]><googlehealthdevelopers% > > [email protected]> > > > > . > > > > For more options, visit this group at > > > >http://groups.google.com/group/googlehealthdevelopers?hl=en. > > > > -- > > > Bess Ho > > > UI Architect / Developer / Designer > > > iPhone Developer > > > Silicon Valley Web Builder (SVWB) Founder > > > > The information transmitted is intended only for the person or entity to > > > which it is addressed and may contain CONFIDENTIAL material. If you > > receive > > > this material/information in error, please contact the sender and delete > > or > > > destroy the material/information. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Health Developers" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<googlehealthdevelopers% > > [email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/googlehealthdevelopers?hl=en. > > -- > Bess Ho > UI Architect / Developer / Designer > iPhone Developer > Silicon Valley Web Builder (SVWB) Founder > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain CONFIDENTIAL material. If you receive > this material/information in error, please contact the sender and delete or > destroy the material/information. -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
