Google OAuth 2.0 on WinForm

Question

I need some directions because I'm pretty lost. I'm working on a very small app in WinForms and, it uses Google API's. to be able to get to user data I need to get his user name and password, up to this part every thing works but, I don't have any save user ability.

Now, I don't want to ask the user's name and password every time, so I'm trying to find a safe way to do that.

I asked a question about where should I put this info, and got the answer that it is not good idea to save username and passwords, and I should use Google OAuth 2.0 instead.

But, my problem is that I need to use a web browser for Google OAuth 2.0, and now I'm not sure how to implement this in my WinForm app.

My Questions:

1. Is it possible to get data from the a web browser to my app?
2. Should I look for a different way to get user data? (any suggestion will be great).

Answer 1

Two most important pieces of info for you to know are that you should use a client library to do the work for you, and you should use the "Installed application" flow/client type.

Use the tutorial here, which walks you through using an installed application: https://code.google.com/p/google-api-dotnet-client/wiki/GettingStarted

You do have to use a web browser to get the credentials from the user, but once you do that, you should be able to re-use those credentials (refresh token) without re-prompting. The library makes moving these credentials from the browser to your app simple.

Answer 2

Performing OAuth2 in non-browser application is known as "2-legged OAuth2".

Server-side, 3-legged OAuth2 is for browser authentication. It consist of following steps:

1. the application navigates to your web app
2. your web app redirects to the OAuth2 endpoint in Google with correct get parameters
3. Google authenticates your user and redirects the browser back to your web app with user token
4. your web app uses the token to connect to Google services

Client-side, 2-legged OAuth2 consist in hosting the WebBrowser control in your application and following steps 2-3 of 3-legged authentication:

1. the web browser control goes to OAuth2 endpoint in Google pretending your web app is going to be authenticated
2. the web browser control allows user to authenticate and redirects back to your web app
3. but you don't really even have any web app - upon redirecting back to your application, you catch the redirect event of the web browser control and extract the authentication token

Having the user token, the winforms app connects to Google services on behalf of the user.