Marketplace app, use OAuth 1.0 or 2.0?

Question

a lot of documentation that I had read about how to build Marketplace's apps is telling me to use OpenID+Oauth 1.0 with 2-Legged. But reading all other information about Authentication on Google's docs is telling me OAuth 1.0 is deprecaded and should NOT be used.

So what is correct? Should I use OAuth 1.0 on Marketplace or not ?

PS: to clarify, I'm going to use Google Documents List API version 3.0 API, because on Drive SDK is impossible to know user's email, based on a File's permission set. On the File's permission set there's only the name, but I need the user's email.

Thanks,

Answer 1

Expanding on jonathanberi's comment,

As on this answer Google has deprecated the Oauth1 and OpenId. Google recommend using OAuth2 for all marketplace apps, especially after the new experience announcement

Here is some sample code

  def get(self, *args, **kwargs):

        code = self.get_argument('code', None)

        error = self.get_argument('error',None)

        redirect_uri = "{protocol}://{host}{path}".format( protocol = self.request.protocol,

                                                           host = self.request.host,

                                                           path = self.request.path)

        flow = OAuth2WebServerFlow(

                            client_id    = config['CLIENT_ID'],

                            client_secret= config['CLIENT_SECRET'],

                            scope        = 'https://www.googleapis.com/auth/userinfo.email',

                            redirect_uri = redirect_uri,

                            access_type  = 'online'

                        )
        if code is None:

            auth_uri = flow.step1_get_authorize_url()

            self.redirect(auth_uri)

        elif error:
            self.redirect("http://error.com")

        else:
            credentials = flow.step2_exchange(code)

            http = httplib2.Http()

            http = credentials.authorize(http)

            service = build('oauth2', 'v2', http=http)

            user = service.userinfo().get().execute()

Answer 2

The alternative of using OpenID is to give the user the possibility of logging in to your app using different kinds of accounts like facebook, google, etc.

https://developers.google.com/accounts/docs/OpenID?hl=en

If you want to give that possibility you should use OpenID, but if you just want to give permission to the user only for gmail accounts, you should only use the OAuth authorization.

OAuth 1.0 is officialy deprecated since April, 2012 https://developers.google.com/accounts/docs/OAuth