I'm currently building a mobile web application that uses Google Fusion Tables as it's database. There is a good OAuth 2.0 guide for Fusion Tables, but the described process includes a user, that wants to give my application the permission to access his Fusion Tables.
In my case, I own the Fusion Table (it is connected to my account), and all I want is to give users the permission to all CRUD operations on this table. To read from the public table is no problem at all, as it does not require authentication, but all write operations (INSERT/UPDATE/DELETE) need authenctication. So if someone access my mobile web application, they should get an access-token for my fusion table, allowing them to write to the table.
I already registered my application at Google, and I'm able to write data to my fusion tables, when I'm logged in with my user account. How does this work for everybody else?
My questions:
- Is this possible with a browser-only solution? From what I've learned I need to put my client secret in a JavaScript file. Is this really that bad? I mean, what's the worst thing that could happen?
- I found a blog article about "How-to: Secure OAuth in JavaScript", is this the better approach? Has anyone tried that with Google Fusion Tables?
- If it's not that easy to build a browser-only solution, how would you do it with a server-side script? I thought of a PHP script where a client could just get a valid access-token.
Am I on the right track? How would you solve this use case?
You'll probably want to use a OAuth 2.0 Service Account for your application to access Fusion Tables:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
The Google PHP client library supports this type of account:
来源:https://stackoverflow.com/questions/10271623/authenticate-application-with-oauth-to-access-fusion-tables