Twitter: raymondcamden

Address: Lafayette, LA, USA

ColdFusion and OAuth Part 3 - Google

04-17-2013 10,971 views ColdFusion 68 Comments

Welcome to my third and final blog post on ColdFusion and OAuth. (You may find the earlier entries below.) I apologize for the delay but I traveled last week so I'm a bit behind. If you have not yet read the earlier entries (part 1 and part 2), please do so as I will not be repeating the information I wrote about before.

So - hopefully you've gotten an idea of how easy OAuth can be. After I got things working right the first time, the second demo was quite easy. For this demo I decided to get a bit fancier. Google has an OAuth API that lets you authenticate against their servers. What if you wanted to use Google for your user system? In other words, skip the whole custom registration process and offload user management to Google. That's not only possible but actually one of the recommended use cases in their documentation.

Before we begin, please note that you will need to register your application with Google. This is exactly like what you did with Facebook and LinkedIn, except it is done at Google's API Console instead. By now this process should be easy enough where I don't need to explain it to you, just be sure to make note of the client id and client secret.

Since our application is going to use Google for login, I've created a simple Application.cfc that looks for a session variable, and if it doesn't exist, automatically pushes the user to a login page.

The onApplicationStart is virtually a carbon copy of the earlier examples, but the onRequestStart is new. It checks to see if we are logged in, and barring that, checks to see if we are requesting either the login page or the callback page. When the user first hits the application, they are sent to the login page:

Notice that there isn't a form here. Remember, we're sending the user to Google instead. I could have automatically pushed them, but I felt this was more friendly. Here's the code for that template.

I've put the Google OAuth code into a CFC to abstract a bit, but for now, don't worry about it. The link generation is very similar to the previous two examples. Once the user clicks login, they are sent to Google. In this case, Google recognized my account and preset the login, but I have the option to switch users as well.

As before, the user is sent to a callback page. Here is that template. Again note that I've put much more into the CFC now so this is somewhat simpler.

Finally, the user is directed to the homepage. As part of the Google API, I can get info about the user. I did so and dumped it out:

Here is that template:

Now let's look at the CFC:

For the most part I assume this is self-explanatory, but if anyone has any questions, let me know.

Finally, an interesting twist. What about businesses that make use of Google Apps? Turns out there is an undocumented solution for that. Look at the generateAuthURL function above. If you add the "hd" argument, you can specify a Google Apps domain:

This works great, but as I said, it isn't documented. A friend of mine is a paying customer of Google Apps and has reached out to tech support, but unfortunately, no one will give him a firm answer. His last email with them resulted in this:

Basically what the rep said is that their technical team said using is a feature, so they didn't specify that in their documentation. He also said that the variable hd is also used to authenticate users in an organization with business units separated by domains.

Frankly that first sentence isn't sensible. "It is a feature and that's why we didn't document it." I'm hoping it was just a typo.

Related Blog Entries


  • Craig Inman #
    Commented on 04-17-2013 at 2:42 PM
    This does work really well. It has the domain under the field for username and won't let you enter any foreign characters, so you should not be able to enter any other Google App domains.
  • Commented on 04-28-2013 at 4:19 PM
    Out of interest, what, if anything, do you store from the information provided by Google/Facebook/LinkedIn? The IDs? Profile photos?
  • Commented on 04-28-2013 at 6:39 PM
    Great stuff (Again).
    I liked the LinkedIn and Facebook posts as well and intend to use them all so users can login with whatever method they want.

    I was wondering whether you were planning on doing a Sign in with Twitter post to complement the others ?
  • Commented on 04-29-2013 at 9:10 AM
    @Adrian: What you store would be up to you. What your app needs. Obviously you would have to content w/ the fact that those details may change.

    @Dave: I looked into Twitter this weekend actually. Unfortunately they are OAuth1 so it isn't as easy. Fortunately, someone has already blogged on it so I don't have to. ;)
  • Commented on 04-29-2013 at 9:53 AM
    Thanks Ray. You are a gentleman and a scholar.
    Now I have to roll it all up and make a loginUsing.cfc
    Also I have to agree that CodeSchool is excellent, hanks for the Hall Pass :)
  • Joel Spriggs #
    Commented on 05-01-2013 at 7:26 AM
    Nice post, explains it well. What would be your thoughts on utilizing that as the login interface for an app that uses primarily rest endpoints to connect a JS/html front-end with an ORM based backend?

    Their api page does give information about token validation, so my thought is that every endpoint call requires the token be attached as a header element, and just cache the public keys from google to do validation against the tokens.
  • Commented on 05-01-2013 at 9:49 AM
    "What would be your thoughts on utilizing that as the login interface for an app that uses primarily rest endpoints to connect a JS/html front-end with an ORM based backend?"

    Um, do you mean your app is primary client-side code w/ CF REST stuff ont he back?
  • Joel Spriggs #
    Commented on 05-01-2013 at 9:50 AM
  • Commented on 05-01-2013 at 9:51 AM
    Well, your client-side code could run a CFC that then hits Google. Basically the CFC acts as a proxy. Or you could hit Google directly if they support JSON/P or CORS.
  • Commented on 06-08-2013 at 3:27 PM
    Once again - I love all of your posts. I'm a fan and a subscriber. Although I feel like I'm missing something here. This line in particular: new google(application.clientid, application.clientsecret); Do I need some sort of additional file to have this work? Does it matter if I use application.cfm instead of cfc? I feel so lost... :/
  • Commented on 06-09-2013 at 10:25 AM
    As I didn't provide a zip, you have to get the code from the blog entry. google.cfc is the second to last, where I say, "This is the CFC..."

    You can use App.cfm instead of App.cfc, but... honestly, it is time to move on from App.cfm! :)
  • Commented on 06-11-2013 at 6:15 PM
    Haha - I know. Sometimes I have much less to say about those things than I'd like to - ergo my limited experience with CFC files. Thanks Raymond - once again I owe you a beer. Actually it's a whole case by now. :D
  • Commented on 06-11-2013 at 8:28 PM
    Enjoy man. Warning - I've got pricey taste in beer.
  • martin timmers #
    Commented on 07-04-2013 at 4:07 AM
  • martin timmers #
    Commented on 07-04-2013 at 4:09 AM
    Hi i just posted a question with a bit of code.

    This got rejected so i posted a pastebin link.

    Thanks for the tutorial.
  • Commented on 07-04-2013 at 10:45 AM
    It may be that the order isn't preserved in the second one and that may matter to Google. I've never used that particular API though so - sorry - can't really help.
  • Misty #
    Commented on 08-31-2013 at 11:26 AM
    Hi ray, Followed Your post, i am using Application.cfm rather than CFC

    But when i logs into Google auth and it comes back to callback, it just hangs there

    don't know what is the matter, any idea
  • Commented on 09-02-2013 at 3:15 PM
    So you come back to the CFM and... nothing happens? The CFM never outputs anything? Do you see anything logged at all?
  • Misty #
    Commented on 09-02-2013 at 11:59 PM
    Nothing gets logged, i used try catch blocks, site wide error, application based error, nothing. it just hangs up.
  • Commented on 09-03-2013 at 5:34 AM
    Then I'm not sure what to suggest. So to be clear, you leave, see your server load in the browser, see the cfm in the browser bar, and nothing. If you add "Hello World" to the top of the CFM, does that come out?
  • Misty #
    Commented on 09-03-2013 at 6:50 AM
    It shows nothing, Nothing anywhere, not in console, not error anywhere where i can search of. i tried creating log also when a callback is returned but it does not write, something is going wrong

    not sure what, if you wanna check

    here is the link:
  • Commented on 09-03-2013 at 6:53 AM
    It worked for me. I see the dump in the popup window.
  • Misty #
    Commented on 09-03-2013 at 7:22 AM
    Strange, Did you checked twitter too
  • Commented on 09-03-2013 at 7:35 AM
    Same here. I see a dump after submitting in the Google pop-up.
  • Commented on 09-03-2013 at 8:36 AM
    With Twitter processLogin.cfm loads, but displays nothing. Please share (pastebin or gist!) your code there.
  • Misty #
    Commented on 09-03-2013 at 8:44 AM
    ok, i thing something is going bad on my end, but not sure what, i tried different browsers, its a hosted application, i have to check again, but guys have you all the three of just one. Can you please confirm all 3 are working or just 1 or 2 only

  • Commented on 09-03-2013 at 8:46 AM
    I tested two - and one showed what you saw. At this point it would be helpful to see your code. In a pastebin or gist.
  • Misty #
    Commented on 09-03-2013 at 10:17 AM
    Here is the Pastebin Code for Twitter:
  • Commented on 09-03-2013 at 10:23 AM
    To be clear, are you using a different CFM file for each? I thought you were using the same. If you are, please do not share just a portion of your code, share everything.
  • Commented on 09-03-2013 at 10:27 AM
    Misty, did you debug this at all? Your code looks at the URL structure for a value called loginType. If you look at the value in the URL from Twitter, you can see login type is not there.

    Sorry if that sounds rough, but as part of the debugging you should have done, you should have noticed that, right?

    I'll echo my request that it would be more helpful if you were to share the entire CFM so we can see the app as it is being executed. Another test would be to add

    <cfdump var="#url#" abort>

    SO we can see what happens immediately after the return from Twitter. You may have something else doing a cflocation later on in the process.
  • Misty #
    Commented on 09-03-2013 at 10:49 AM
    Hi Ray, Never took your comments as tough and harsh, I have always something new from you, so let me debug that and i will share the code also which i am using now

    should i send the code in the email address
  • Commented on 09-03-2013 at 10:55 AM
    No, lets keep it here. If you have something secret in the CFM, like an APP Id, you can definitely change it.
  • Misty #
    Commented on 09-03-2013 at 11:04 AM
    i did some debugging and noticed that with twitter the application scope which i had defined as:

    <cfcase value="twitter">
             <cfset application.current_login_method = 'twitter'>
             <cfset twitterLogin = objLogin.get_request_token()>

    is coming as [empty string] when it comes back from authorization, note here that i am not using the twitter4j library for authetication, do i need to use it
  • Commented on 09-03-2013 at 11:19 AM
    Don't know. I think this is why I skipped Twitter when I was doing my OAuth series.
  • Misty #
    Commented on 09-03-2013 at 11:41 AM
    ok, i will check this out and see what i can figure out here, so another question is: even yahoo can be done with oauth, have not debugged t yet, but just guessing
  • Commented on 09-03-2013 at 11:44 AM
    Cool - to be honest - I don't pay much attention to Yahoo. They have some cool APIs and stuff, but I just... well I just don't pay attention to em. Maybe I should. :)
  • Commented on 11-12-2013 at 5:06 AM
    This tut did save my life! Thank you so much! ^___^
  • Commented on 12-02-2013 at 4:34 PM
    Hi Ray, Thanks for great tutorial and the tip at the end. Quick question.... Do you know of a way to access a Google folder's file list using OAuth & Coldfusion completed by the server only? No human clicking the agree and authenticate button? Looking to build an automated web app to reach into a Generic User's Google drive and access a folder where students have shared papers, presentations, projects, and artwork photos stored in their Google Drives. Thanks again!
  • Commented on 12-02-2013 at 4:50 PM
    Hmm. In theory, you could automate it with cfhttp. But you would need the user's email/password of course. Not sure how much faith I'd put into that though. Seems like a brittle solution.
  • Commented on 12-03-2013 at 6:54 PM
    Hi Ray, I agree as Google is dropping their client access in 2015. I am reading up on OAUTH for Google. I think from what I am gathering, there is a way to do this as long as I log in as the user 1 time and retrieve a valid refresh token for my app (which I did today). Now I just need to figure out how to get the whole thing to work. If I succeed, I'll post back. Thanks!
  • Misty #
    Commented on 03-08-2014 at 3:26 AM
    Hi ray, Coming back again, I am unable to access the google login API, I can find google + API, but not google Login, is it same or different, i user new google+ but did not worked
  • Commented on 03-08-2014 at 6:55 AM
    You need to give me more detail. What happens exactly?
  • Misty #
    Commented on 03-09-2014 at 10:26 AM
    Hi ray,

    How to fetch additional Information of google API like email address, login username etc.
  • Commented on 03-09-2014 at 12:08 PM
    You've been asking similar questions on two posts - I replied on the other one.
  • Misty #
    Commented on 03-11-2014 at 8:27 AM
    how you write this in cffunction

    public function getProfile(accesstoken) {

          var h = new com.adobe.coldfusion.http();
          h.addParam(type="header",name="Authorization",value="OAuth #accesstoken#");
          var result = h.send().getPrefix();
          return deserializeJSON(result.filecontent.toString());

    it will cfhttp call., but what about the following line:

    h.send().getPrefix(); - only explanation need to this line
  • Commented on 03-11-2014 at 8:55 AM
    h.send() means, make the http call. getPrefix gets the result. So result (the variable) is equal to <cfhttp url="..." result="result">
  • Misty #
    Commented on 03-11-2014 at 9:01 AM
    hi ray,

    you said, its possible to get email address, so check this link:

    in pastebin, i will expire in 1 hours

    This shows my Infor but does not show my email address info, if i try same in google editor which they had provided in the console window, the emails array is shown, what we are missing here then
  • Commented on 03-11-2014 at 9:04 AM
    I believe you will need to ask for the email scope.

    You should be able to add this to the existing scope.
  • Misty #
    Commented on 03-11-2014 at 9:21 AM
    and where i should add this
  • Commented on 03-11-2014 at 9:23 AM
    Um, did you read the blog post? It is one of the code samples, and documented. Please look again.
  • Misty #
    Commented on 03-11-2014 at 9:33 AM
    i followed exactly as your code, doing a copy/paste, but in your above demo too, no email address is showing,
  • Commented on 03-11-2014 at 9:35 AM
    You aren't getting it - the Scope value determines what you can get back. You need to add to it to get email support. See my comment a few things above.
  • Misty #
    Commented on 03-11-2014 at 10:20 AM
    okay, i read the full blog post, and the code too. even though it has ben specified anywhere about email and not even getting the one:

    what if we have a code which is doing a call to the api like this:

    <cffunction access="public" name="getProfileEmail" returntype="any" returnformat="json">
       <cfargument name="accesstoken" default="" required="yes" type="any">
    <cfhttp url=""...; method="get" resolveurl="yes" result="httpResult">
       <cfhttpparam type="header" name="Authorization" value="OAuth #arguments.accesstoken#">
    <cfhttpparam type="header" name="GData-Version" value="3">
    <cfreturn DeserializeJSON(httpResult.filecontent)>

    but this just shows me an a string value:

    what i need to change here to bring actual email address instead of this string
  • Misty #
    Commented on 03-11-2014 at 10:21 AM
    read this line even though it has ben specified anywhere about email and not even getting the one:


    even though it has not been specified anywhere about email and not even getting the one:
  • Misty #
    Commented on 03-11-2014 at 11:07 AM
    I tried again with this:

    cfhttp url="; method="get" resolveurl="yes" result="httpResult">
       <cfhttpparam type="header" name="Authorization" value="OAuth #access_token#">
    <cfhttpparam type="header" name="GData-Version" value="3">

    i get empty response as: {}

    does it have any dependency on verified response

    i tried in
  • Commented on 03-11-2014 at 12:20 PM
    Misty: Do you, or do you not, see the code portion that involves Scope. It is above. The comment above is talks about how you have to change it. None of your comments seem to imply you get that you have to change the scope - so can you please answer that?
  • Misty #
    Commented on 03-11-2014 at 12:43 PM
    Ray, I am following what you are saying, but the code below google may not support after sept 2014

    I use this:

    <cfset googleLogin = objLogin.initiate_login(
                loginUrlBase = "";,
                loginClientID = application.google_client_id,
                loginRedirectURI = application.google_redirecturl,
                loginScope = ";

    I get email with this, but if i use the

    i do not get the email in that
  • Commented on 03-11-2014 at 12:44 PM
    So your saying - you don't want to use this method. You want to use the method I described in G+? Or are you saying something else? I'm really confused here.
  • Misty #
    Commented on 03-11-2014 at 12:50 PM
    I do not want to use the method of Google+ u described in another post, wanna use the method the comments are posted in.
    i had to check many things before i make a complete rewrite of login with google+. right now, the old way of oauth2, going by google login side and fetching the contents
  • Commented on 03-11-2014 at 12:57 PM
    So... you don't want to use my method, and you don't want to use the G+ method. Then I don't know what to tell you. As I described, multiple times, the docs say you need to ask (via Scope) for email permission, and I've seen it work with my code. If you are using your own code, than I don't think I can help you more than I have tried to do so already.
  • Commented on 04-10-2014 at 10:39 AM
    Great Post Raymond.

    Any chance someone from the ColdFusion community could contribute code samples to Google's developer portal?
  • Commented on 04-10-2014 at 10:45 AM
    If somebody wants to submit it - I'm all for it.
  • Commented on 05-02-2014 at 4:08 PM
    I noticed you used localhost as the domain of your callback url. Is that actual code? My development server is behind a firewall, and it seems to be causing problems.
    At first I kept getting uri mismatch errors. I found a workaround for that by adding a url in my console and supplying that url as the callback parameter. That at least got me to Google's "Allow access" page. But then when I grant access I get "State values do not match" on the callback page.
    Any thoughts? Thanks!
  • Commented on 05-03-2014 at 9:59 AM
    For oauth redirect, the remote server sends a header back to the browser saying,"Go Here." For my testing then, localhost works fine. In a 'real' app, you would not do that of course. Thing is - a firewall should not impact that. If your browser can hit the URL, then it should just plain work.
  • Commented on 05-03-2014 at 10:55 AM
    OK, Thanks. I'll take another look at the code with a fresh set of eyes Monday.
  • Commented on 05-06-2014 at 3:28 PM
    Sure enough, even after triple- and quadruple-checking my callback url, i still had a typo in it. Works fine now. Thanks for the help.
  • Iftkhar #
    Commented on 06-27-2014 at 5:49 PM
    How can I get user email ?
  • Commented on 06-27-2014 at 9:34 PM
    The scope value determines what data is returned. You have to ask for email.

Post Reply

Please refrain from posting large blocks of code as a comment. Use Pastebin or Gists instead. Text wrapped in asterisks (*) will be bold and text wrapped in underscores (_) will be italicized.

Leave this field empty