OAuth2 auth endpoint doesn’t support AJAX by design. It’s an entry point to the authentication system, so you must get there by redirect. The result of the authentication is again a redirect to the URL you provide, so AJAX doesn’t make much sense there.
Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences: More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, … Read more
Edit (August 14th 2012): A week ago the official Facebook PHP SDK was updated. The function name was changed to setExtendedAccessToken, and it was decided we actually needed to destroy the session afterwards, to remove the risk of having two active sessions. Also, the function no longer actually returns the token, but instead stores it … Read more
Please do not use Interceptors to deal with authentication. Currently, the best approach to handle authentication is to use the new Authenticator API, designed specifically for this purpose. OkHttp will automatically ask the Authenticator for credentials when a response is 401 Not Authorised retrying last failed request with them. public class TokenAuthenticator implements Authenticator { … Read more
Overview of OAuth: Is the User Who He/She Says He/She is?: I’m not sure if you used OAuth to login to Stack Overflow, like the “Login with Google” option, but when you use this feature, Stack Overflow is simply asking Google if it knows who you are: “Yo Google, this Vinesh fella claims that vinesh.e@gmail.com … Read more
So i finally figured out how to do this. The basic idea is that you have the token you get the first time you ask for authentication. This first token has a refresh token. The first original token expires after an hour. After an hour you have to use the refresh token from the first … Read more
The link to discussion, provided by Catchdave, has another valid point (original, dead link) made by Dick Hardt, which I believe is worth to be mentioned here in addition to what’s been written above: My recollection of refresh tokens was for security and revocation. <…> revocation: if the access token is self contained, authorization can … Read more
Google OAuth 2 authorization – Error: redirect_uri_mismatch