UserPreferences

GoogleAuthNotes


Google/Blogger doesn't support the "HTTP Basic over TLS" minimal Atom authentication scheme. Instead it supports a Google-specific authentication scheme along with an RFC 2617-compliant Authorization: header. This page documents a minimal set of steps needed to authenticate with the central Google authentication service and use this with Blogger's Atom based API. Note that Blogger's Atom API is not yet AtomPub compliant either but is fairly close.

Step 1: Get an auth token using the ClientAuth API; this involves POSTing username and password to the ClientLogin endpoint, and getting a token out:

curl 'https://www.google.com/accounts/ClientLogin' --verbose --data 'accountType=GOOGLE&Email=me@example.com&Passwd=my_secret_password&source=exampleCo-exampleApp-1&service=blogger' -H 'Content-Type: application/x-www-form-urlencoded' --trace-ascii log

You'll see an Auth= parameter if the request is successful, a 4xx error otherwise. Use the log output to peek at the back and forth. The Auth token looks like this:

Auth=DQABAJIACDDvl7POusL4o1qbipMw4mS1R_GxNkDJUkr2hYJ7w...3LCZOmvEFNEoZendvZH7pt-0I3HDd2qeveLCPsiSfc17wT8l4Kq59SZHOLaj

This is the token needed for subsequent requests. It's good for a few hours.

Step 2: Use the auth token until it expires.

On each subsequent request to Blogger, you pass an Authorization: header with the token. Example:

curl 'http://www.blogger.com/feeds/default/blogs?alt=atom-service' -H 'Authorization: GoogleLogin auth=DQABAJIACDDvl7POusL4o1qbipMw4mS1R_GxNkDJUkr2hYJ7w...3LCZOmvEFNEoZendvZH7pt-0I3HDd2qeveLCPsiSfc17wT8l4Kq59SZHOLaj'

This retrieves the list of blogs owned by the logged-in user, in an Atom Service Document.

On login, you may get a captcha challenge (documented under the ClientAuth API) instead of an auth token. The ClientAuth API is usable only for low-volume testing or client based authentication, not high volume (proxied) authentication. See AuthSub, the web based auth solution, for a scalable solution; it requires direct interaction between the end user's browser and the Google auth servers, but at the end it also hands back an auth token.

Client libraries for GData (which include AuthSub client APIs) are at http://code.google.com/apis/gdata/clientlibs.htm, with downloads at http://code.google.com/apis/gdata/clientlibs.html. They include Java, .NET, PHP. Python, and Objective-C libraries. I'm not clear on whether they include support for ClientAuth (for low-volume clients) or just AuthSub (for servers or clients that can do web pages).