Google's OAuth2 requirement that I own the domain












0














Would someone give me a brief explanation for the necessity of "owning" a domain from which a Javascript app is served that makes OAuth2 calls to a service running on App Engine? I assume this is meant to prevent some security vulnerability. I just can't imagine what, since the Javascript authenticates with the service using the client running in the user's web browser, and the auth flow makes it clear what the user is being asked to allow. What difference does it make where the page comes from?










share|improve this question



























    0














    Would someone give me a brief explanation for the necessity of "owning" a domain from which a Javascript app is served that makes OAuth2 calls to a service running on App Engine? I assume this is meant to prevent some security vulnerability. I just can't imagine what, since the Javascript authenticates with the service using the client running in the user's web browser, and the auth flow makes it clear what the user is being asked to allow. What difference does it make where the page comes from?










    share|improve this question

























      0












      0








      0


      1





      Would someone give me a brief explanation for the necessity of "owning" a domain from which a Javascript app is served that makes OAuth2 calls to a service running on App Engine? I assume this is meant to prevent some security vulnerability. I just can't imagine what, since the Javascript authenticates with the service using the client running in the user's web browser, and the auth flow makes it clear what the user is being asked to allow. What difference does it make where the page comes from?










      share|improve this question













      Would someone give me a brief explanation for the necessity of "owning" a domain from which a Javascript app is served that makes OAuth2 calls to a service running on App Engine? I assume this is meant to prevent some security vulnerability. I just can't imagine what, since the Javascript authenticates with the service using the client running in the user's web browser, and the auth flow makes it clear what the user is being asked to allow. What difference does it make where the page comes from?







      google-oauth






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 12 '18 at 16:48









      Tom Russell

      426215




      426215
























          1 Answer
          1






          active

          oldest

          votes


















          0














          It does not matter where the authentication request comes from. Your app could be running locally on the client's desktop, mobile, website, etc.



          [Technical reasons]:



          The endpoint that Google OAuth calls back to provide the token must be transmitted securely to an HTTPS endpoint. If you specify an HTTP endpoint the authorization request will fail. In order to setup SSL on your server you must have a registered domain name. The exception is when you are using http://localhost/ or http://[::1]/ for authorization via a built-in webserver.



          [Legal / Political reasons]:



          The key is that by owning a domain, Google also has the ability to display information about who is requesting access. This is to protect the end user from fraudulent activites. The information made available to the end user includes:




          • The support email address for your website.

          • Application Home Page URL.

          • Application Privacy Policy URL.

          • Application Terms of Service.


          In some countries, you must provide written information about how you will use and protect a customer's information by law. If you do not have a website, then this part cannot be accomplished by Google, who is responsible for protecting the end user using Google Accounts for authentication.






          share|improve this answer























          • Comments are not for extended discussion; this conversation has been moved to chat.
            – Samuel Liew
            Nov 15 '18 at 12:27











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53266638%2fgoogles-oauth2-requirement-that-i-own-the-domain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          It does not matter where the authentication request comes from. Your app could be running locally on the client's desktop, mobile, website, etc.



          [Technical reasons]:



          The endpoint that Google OAuth calls back to provide the token must be transmitted securely to an HTTPS endpoint. If you specify an HTTP endpoint the authorization request will fail. In order to setup SSL on your server you must have a registered domain name. The exception is when you are using http://localhost/ or http://[::1]/ for authorization via a built-in webserver.



          [Legal / Political reasons]:



          The key is that by owning a domain, Google also has the ability to display information about who is requesting access. This is to protect the end user from fraudulent activites. The information made available to the end user includes:




          • The support email address for your website.

          • Application Home Page URL.

          • Application Privacy Policy URL.

          • Application Terms of Service.


          In some countries, you must provide written information about how you will use and protect a customer's information by law. If you do not have a website, then this part cannot be accomplished by Google, who is responsible for protecting the end user using Google Accounts for authentication.






          share|improve this answer























          • Comments are not for extended discussion; this conversation has been moved to chat.
            – Samuel Liew
            Nov 15 '18 at 12:27
















          0














          It does not matter where the authentication request comes from. Your app could be running locally on the client's desktop, mobile, website, etc.



          [Technical reasons]:



          The endpoint that Google OAuth calls back to provide the token must be transmitted securely to an HTTPS endpoint. If you specify an HTTP endpoint the authorization request will fail. In order to setup SSL on your server you must have a registered domain name. The exception is when you are using http://localhost/ or http://[::1]/ for authorization via a built-in webserver.



          [Legal / Political reasons]:



          The key is that by owning a domain, Google also has the ability to display information about who is requesting access. This is to protect the end user from fraudulent activites. The information made available to the end user includes:




          • The support email address for your website.

          • Application Home Page URL.

          • Application Privacy Policy URL.

          • Application Terms of Service.


          In some countries, you must provide written information about how you will use and protect a customer's information by law. If you do not have a website, then this part cannot be accomplished by Google, who is responsible for protecting the end user using Google Accounts for authentication.






          share|improve this answer























          • Comments are not for extended discussion; this conversation has been moved to chat.
            – Samuel Liew
            Nov 15 '18 at 12:27














          0












          0








          0






          It does not matter where the authentication request comes from. Your app could be running locally on the client's desktop, mobile, website, etc.



          [Technical reasons]:



          The endpoint that Google OAuth calls back to provide the token must be transmitted securely to an HTTPS endpoint. If you specify an HTTP endpoint the authorization request will fail. In order to setup SSL on your server you must have a registered domain name. The exception is when you are using http://localhost/ or http://[::1]/ for authorization via a built-in webserver.



          [Legal / Political reasons]:



          The key is that by owning a domain, Google also has the ability to display information about who is requesting access. This is to protect the end user from fraudulent activites. The information made available to the end user includes:




          • The support email address for your website.

          • Application Home Page URL.

          • Application Privacy Policy URL.

          • Application Terms of Service.


          In some countries, you must provide written information about how you will use and protect a customer's information by law. If you do not have a website, then this part cannot be accomplished by Google, who is responsible for protecting the end user using Google Accounts for authentication.






          share|improve this answer














          It does not matter where the authentication request comes from. Your app could be running locally on the client's desktop, mobile, website, etc.



          [Technical reasons]:



          The endpoint that Google OAuth calls back to provide the token must be transmitted securely to an HTTPS endpoint. If you specify an HTTP endpoint the authorization request will fail. In order to setup SSL on your server you must have a registered domain name. The exception is when you are using http://localhost/ or http://[::1]/ for authorization via a built-in webserver.



          [Legal / Political reasons]:



          The key is that by owning a domain, Google also has the ability to display information about who is requesting access. This is to protect the end user from fraudulent activites. The information made available to the end user includes:




          • The support email address for your website.

          • Application Home Page URL.

          • Application Privacy Policy URL.

          • Application Terms of Service.


          In some countries, you must provide written information about how you will use and protect a customer's information by law. If you do not have a website, then this part cannot be accomplished by Google, who is responsible for protecting the end user using Google Accounts for authentication.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 15 '18 at 20:59

























          answered Nov 13 '18 at 11:45









          John Hanley

          13.9k2528




          13.9k2528












          • Comments are not for extended discussion; this conversation has been moved to chat.
            – Samuel Liew
            Nov 15 '18 at 12:27


















          • Comments are not for extended discussion; this conversation has been moved to chat.
            – Samuel Liew
            Nov 15 '18 at 12:27
















          Comments are not for extended discussion; this conversation has been moved to chat.
          – Samuel Liew
          Nov 15 '18 at 12:27




          Comments are not for extended discussion; this conversation has been moved to chat.
          – Samuel Liew
          Nov 15 '18 at 12:27


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53266638%2fgoogles-oauth2-requirement-that-i-own-the-domain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()