Implementing Google OAuth in JSFiddle

The implementation of Google OAuth for use with there API’s are simple with there API Client Library for JavaScript, if you are developing a normal webpage. If you want the functionality in a JSFiddle it’s a little more complex for several reasons. I have put together a demo on JSFiddle that shows how it can be accomplished!


I wanted to be able to include Google Oauth for API access in demos I create on JSFiddle. I did a few tests with the API Client Library for JavaScript provided by Google. Ran into several issues with cross-site limitations and sandboxing. Since JSFiddle runs in i sandboxed iframes it limits access to navigation, URL reading and other stuff that the client.js relies on to authenticate the user and get the token back. I found that if the user is already authenticated with Google and you set the immediate parameter to true it will work. That’s probably good enough for several demos but it’s not a clean solution so I spent a few hours and came up with a solution. If the user isn’t already authenticated two new tabs will open up and nothing more will happen.


You need to setup a project in the Google Cloud Platform Console and get the clientID. You also need to setup Authorized redirect URIs that matches your JSFiddle. Due to the iframe nature of JSFiddle you cant use the address, since the result frame being served from the domain. For this demo I setup these two redirect URIs:

One address for the case of direct access to the fiddle (someone fining it via Google for example) and one if they navigate to it from my dashboard.

To get this to work I implemented the OAuth flow from the ground up. The demo uses jquery, because it’s easier, but it can be done in pure JavaScript if you want to. I’m using the standard Oauth 2 flow were you send the user to Google for login with your client_id, redirect_uri and scope as query string parameters. The user authenticates with Google and get’s redirected back to the provided redirect_uri with access_token, token_type and expires_in parameters as query string parameters. Google OAuth supports redirecting the user back to a http address but that’s no good from a security standpoint! JSFiddle does support https on all it’s fiddles so let’s make use of it!

Different then a standard JSFiddle

There are a few things that are different from a regular JSFiddle implementation, to create a safe demo that handles the iframe limitations.

  • Check for HTTPS
    This is just for making the demo safe. When Google returns the user to the site with the token as query string parameter it is possible to intercept if you don’t use HTTPS. A simple implementation of location.protocol == ‘https:’ checks if we are secure or not. This isn’t needed since you can send the user from a HTTP site to Google and get the user back on a HTTPS redirect. This is just put there to make a point of the HTTPS implementation.
  • The use of instead of
    Since the iframe with the result, where all the javascript is executed, is served from all the content needs to be served from there. If not the script cant access the parent frame URL containing the access token returned from Google.

Points of interest in the code

  • Check for HTTPS
    As above this isn’t really needed since I can set the redirect_uri to whatever address I want as long as it’s specified in the cloud console.
  • Create the authentication link
    For this to work properly it needs to be a target=”_blank” link. Navigation inside the iframe is blocked outside the jsfiddle domains. This is the reason why the demo needs to open a new tab to be able to return with the access token. The parameters at the top will set the basic information for building the link:

    var oAuthEndPoint = "";
    var oAuthClientID = "";
    var oAuthScope = "";

    Then we build the redirect uri from the current JSFiddle address. I implemented it this way to make it easy to fork it to create other demos based on this implementation. I use the a element for easy manipulation of the domain and path. Replacing the protocol and domain with

    var a = document.createElement(‘a’);
    a.href = document.referrer;
    var redirect_uri = [‘’, a.pathname].join(”);
    a = ”;

    document.referrer is used to get the actual address of the fiddle from the parent frame, even if the domains doesn’t match at this point. An easy way to get around the same origin limitations of the iframe.

  • User clicks the authentication link/button
    The user is sent to Google to authenticate and allow the app access to the user information. The only scope requested in this demo is basic profile information.
  • User is returned to JSFiddle
    When the user is returned the fiddle will load all over again. So each time it loads it will check if HTTPS is used, if so check for the URL parameter access_token. This is why we need to use the domain, it will make all the iframes of the fiddle to load from the same domain giving our script access to it’s parent. We need that access to grab the URL and extract the parameters. This function grabs different parameters from the URL of the parent frame:

    function GetURLParameter(sParam) {
    var sPageURL = window.parent.location.hash.substring(1);
    var sURLVariables = sPageURL.split(‘&’);

    for (var i = 0; i < sURLVariables.length; i++) {
    var sParameterName = sURLVariables[i].split(‘=’);
    if (sParameterName[0] == sParam) {
    return sParameterName[1];

  • Use the token for API access
    As soon as we have the token we can use that for accessing the API with a simple ajax request via this simple function:

    function LoadUserInfo(access_token, expires_in) {
    url: ‘’,
    type: ‘GET’,
    dataType: ‘json’,
    headers: {
    ‘Authorization’: ‘Bearer ‘ + access_token
    success: function (data) {
    // Hide login

    // Populate demo, img and name
    $("#user_pic").attr("src", data.picture);

    // Show raw data
    for (var property in data) {
    if (data.hasOwnProperty(property)) {
    $("#raw_data").append("<b>" + property + "</b>" + data[property] + "<br/>");

    // Display demo
    error: function () {
    $(‘#demo’).html(‘<p>An error has occurred</p>’);


So there are a few limitations with this approach. You get the token that is valid for 3600 seconds (one hour) and implementing code for renewing that with out losing state is not possible. So if the user have started creating something and the token expires renewing it will end up in a reload of the fiddle. The other, smaller limitation, is that there always will be a second tab opened to authenticate the user.

You also need to set the code as base in the fiddle at all times, redirects to a version number like /3 will make the redirect back from Google to fail!

Any thoughts, questions or suggestions? Please share in the comments below!

Complete JSFiddle demo

2 Comments on “Implementing Google OAuth in JSFiddle”

  1. Good job man. I forked your work to call Google Contacts API, it got stuck at Access-Control-Allow-Origin error. Any ideas?


    • Thanks! If I remember correctly you need to add to allowed origins when you set it up on the Google API side. The fiddle is served via an iframe from that domain. Use the console in your browsers dev tools and it will tell you what domain name is violating and you can add that.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: