Google OAuth WildCard Domains

Question

I am using the google auth but keep getting an origin mismatch. The project I am working has sub domains that are generated by the user. So for example there can be:

john.example.com
henry.example.com
larry.example.com

In my app settings I have one of my origins being http://*.example.com but I get an origin mismatch. Is there a way to solve this? Btw my code looks like this:

 gapi.auth.authorize({
                        client_id : 'xxxxx.apps.googleusercontent.com',
                        scope : ['https://www.googleapis.com/auth/plus.me',
state: 'http://henry.example.com', 
'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/userinfo.profile'],
                        immediate : false
                    }, function(result) {

                        if (result != null) {
                            gapi.client.load('oath2', 'v2', function() {
                                console.log(gapi.client);
                                gapi.client.oauth2.userinfo.get().execute(function(resp) {
                                    console.log(resp);
                                });
                            });




}
                });

Answer 1

Hooray for useful yet unnecessary workarounds (thanks for complicating yourself into a corner Google)....

I was using Google Drive using the javascript api to open up the file picker, retrieve the file info/url and then download it using curl to my server. Once I finally realized that all my wildcard domains would have to be registered, I about had a stroke.

What I do now is the following (this is my use case, cater it to yours as you need to)

1. On the page that you are on, create an onclick event to open up a new window in a specific domain (https://googledrive.example.com/oauth/index.php?unique_token={some unique token}).

2. On the new popup I did all my google drive authentication, had a button to click which opened the file picker, then retrieved at least the metadata that I needed from the file. Then I stored the token (primary key), access_token, downloadurl and filename in my database (MySQL).

3. Back on step one's page, I created a setTimeout() loop that would run an ajax call every second with that same unique_token to check when it had been entered in the database. Once it finds it, I kill the loop and then retrieve the contents and do with them as I will (in this case I uploaded them through a separate upload script that uses curl to fetch the file).

This is obviously not the best method for handling this, but it's better than entering each and every subdomain into googles cloud console. I bet you can probably do this with googles server side oauth libraries they use, but my use case was a little complicated and I was cranky cause I was frustrated at the past 4 days I've spent on a silly little integration with google.