search

ahlogin / google-gdata

Automatically exported from code.google.com/p/google-gdata
0 stars 0 forks source link

3-legged oauth - OAuthGetAccessToken - "The token is invalid". #384

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

Followed the steps to generate the access token using 3-legged authentication.
1. Supplied the consumer key and secret to generate request token - Pass.
2. Using the request token and secret along with consumer key and secret to
get the authorize URL - Pass.
3. Open the authorize Url in browser to get the user permission - Pass.
4. User granted permission.
5. Use the authorized request token and secret along with consumer key and
secret to generate the access token and secret - Failed.

What is the expected output? What do you see instead?
Should receive the valid access token and secret, but received "The token
is invalid." response from server.

Please use labels and text to provide additional information.

Step-1:
========================================================================
GET
/accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fdocs.google.com%2Ffeeds%2F%20
https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2F
HTTP/1.1
Authorization: OAuth
realm="",oauth_version="1.0",oauth_nonce="a6fea52aee124727a843dc5759a3f28a",oaut
h_timestamp="1274150563",oauth_consumer_key="test.com",oauth_callback="oob",oaut
h_signature_method="HMAC-SHA1",oauth_signature="vtRWuruBCVK1o1m6cpxRiLe2y9s%3d"
Host: www.google.com

oauth_token=4%2Fc5uj2GbYfOm-zSTIlb7YLC8yRC26&oauth_token_secret=qC1VrwSgMWLh7UmK
Z4tVLMFr&oauth_callback_confirmed=true

Step-2:
========================================================================
GET
/accounts/OAuthAuthorizeToken?oauth_token=4%2Fc5uj2GbYfOm-zSTIlb7YLC8yRC26
HTTP/1.1
Authorization: OAuth
realm="",oauth_version="1.0",oauth_nonce="306c1bddfe364fa1a479fc978dbe1afd",oaut
h_timestamp="1274150563",oauth_consumer_key="test.com",oauth_token="4%252Fc5uj2G
bYfOm-zSTIlb7YLC8yRC26",oauth_signature_method="HMAC-SHA1",oauth_signature="sh6W
AW%2fNQRGpUNoFFGUewVaxzGI%3d"

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location:
https://www.google.com/a/UniversalLogin?continue=https%3A%2F%2Fwww.google.com%2F
accounts%2FOAuthAuthorizeToken%3Foauth_token%3D4%252Fc5uj2GbYfOm-zSTIlb7YLC8yRC2
6%26hd%3Ddefault&continue2=https%3A%2F%2Fwww.google.com%2Fa%2F%7B%7Bdomain%7D%7D
%2FOAuthAuthorizeToken%3Foauth_token%3D4%252Fc5uj2GbYfOm-zSTIlb7YLC8yRC26&spl=tr
ue&btmpl=authsub

Step-3:
========================================================================
GET
/a/UniversalLogin?continue=https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthAuthor
izeToken%3Foauth_token%3D4%252Fc5uj2GbYfOm-zSTIlb7YLC8yRC26%26hd%3Ddefault&conti
nue2=https%3A%2F%2Fwww.google.com%2Fa%2F%7B%7Bdomain%7D%7D%2FOAuthAuthorizeToken
%3Foauth_token%3D4%252Fc5uj2GbYfOm-zSTIlb7YLC8yRC26&spl=true&btmpl=authsub
HTTP/1.1

HTTP/1.1 302 Moved Temporarily
Expires: Mon, 01-Jan-1990 00:00:00 GMT
Location:
https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=4%2Fc5uj2GbYfOm-
zSTIlb7YLC8yRC26&hd=default

Step-4:
========================================================================
GET
/accounts/OAuthAuthorizeToken?oauth_token=4%2Fc5uj2GbYfOm-zSTIlb7YLC8yRC26&hd=de
fault
HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie:
SID=DQAAAJEAAABf0E3X8eCFmHtYCbIBmBnT_YcUHqIEPRbGrX3AtGbjCht0catFzlO1ZPBtcUi8S3Po
jrXC95R_-u-HNiV43URlbnZpWAnhYpQSOL_tIcl4sN_zzLhtmHO_QvSQlw5s_iTvLg9HFDy_7OPU6h0T
PcTa-R78qEZW0y2FB6nsyU6Pa52ts2g1xfsc6H5--m8-VWUPcQ5v7faoohlAysZfWajJ;Domain=.goo
gle.com;Path=/;Expires=Fri,
15-May-2020 02:43:49 GMT
Set-Cookie: LSID=EXPIRED;Domain=.google.com;Path=/;Expires=Mon, 01-Jan-1990
00:00:00 GMT
Set-Cookie: LSID=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT
Set-Cookie: LSID=EXPIRED;Domain=www.google.com;Path=/accounts;Expires=Mon,
01-Jan-1990 00:00:00 GMT
Set-Cookie:
LSID=cl:DQAAAJQAAAD9uFQt3TIwqLDPJlGfqCw1duZDZUPD4pGnNjCSDhSwz9FnjiBoVIiWjtdHO4Ea
o8RR8RmfMG0JWd20l5EPJeZql0xW88i0hAx5E7c1P7AaLT9gGApQtCcI3I6DjBap0nwDbKoC9s61iI3B
oPA7s1S8BpKDwzTl8cwSQgT041ul4Hs6ARwRbAK74ZMuUwCAqi-18tFasWbUoTqheeF0gXv0;Path=/a
ccounts;Expires=Fri,
15-May-2020 02:43:49 GMT;Secure

Step-5:
========================================================================
POST /accounts/OAuthGetAccessToken HTTP/1.1
Authorization: OAuth
realm="",oauth_version="1.0",oauth_nonce="c8f17ae382184b599a353a55c7fa5e0a",oaut
h_timestamp="1274150588",oauth_consumer_key="test.com",oauth_verifier="hqBh3c4ZM
xyZeZf9DDJ4VpNp",oauth_token="4%252Fc5uj2GbYfOm-zSTIlb7YLC8yRC26",oauth_signatur
e_method="HMAC-SHA1",oauth_signature="UBRvN%2bnJGXW8vN1xNZfPJxfo%2fvU%3d"

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8

The token is invalid.

Original issue reported on code.google.com by anbu.fre...@gmail.com on 18 May 2010 at 3:02

GoogleCodeExporter commented 8 years ago 
are you using the .NET code to do all this? 

if so, you might want to sync up with the current trunk and try again. I fixed 
some encoding issues that might 
have effected that. If that still happens, can you zip up a sample file to 
reproduce this so that i can debug the 
situation? 

Frank Mantek
Google

Original comment by fman...@gmail.com on 26 May 2010 at 8:03

GoogleCodeExporter commented 8 years ago 
Hi Frank Mantek,

Thank you so much for fixing these issues.

I took the latest code, seems to be able to compile successfully. But I found 
another
issue like how should we pass the additional parameters in the following 
requests:

https://www.google.com/accounts/OAuthGetRequestToken
oauth_callback
xoauth_displayname

https://www.google.com/accounts/OAuthGetAccessToken
oauth_verifier

I tried to pass these parameters in the URL query values, but received a 400 bad
request error.

Sample Request/Response:
========================
GET
/accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fdocs.google.com%2Ffeeds%2F%20
https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2F&oauth_callback=oob&xoauth_displayna
me=Test%20App
HTTP/1.1
Authorization: OAuth
oauth_version="1.0",oauth_nonce="d729ae21401a4ff687e251cc1e365e1d",oauth_timesta
mp="1274900557",oauth_consumer_key="test.com",oauth_signature_method="HMAC-SHA1"
,oauth_signature="NB79q%2FVPLyTz83sqWIajM5EG2uc%3D"

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8
Date: Wed, 26 May 2010 19:03:52 GMT

We really appreciate your help.

Thanks
Anbu

Original comment by anbu.fre...@gmail.com on 26 May 2010 at 7:11

GoogleCodeExporter commented 8 years ago 
It would really help/make this easier for me/faster to debug, if you create a 
sample 
solution that shows the issue and attached it to this bugreport. Right now i am 
guessing and need to spend a lot of time trying to figure out how you are doing 
what 
you are doing and where it might go wrong. 

Please provide a code sample with a bogus auth for me.

Thank you

Frank Mantek

Original comment by fman...@gmail.com on 7 Jun 2010 at 2:45

GoogleCodeExporter commented 8 years ago 
Thank you so much.

Please find the attached sample application, make sure to reference the 
necessary latest Google docs libraries.

The issue is, I'm not able to pass the additional parameters for a better user 
experience when request and authorize tokens.

Additional Parameters:
======================
oauth_callback
xoauth_displayname
(https://www.google.com/accounts/OAuthGetRequestToken)

oauth_verifier
(https://www.google.com/accounts/OAuthGetAccessToken)

Thanks
Anbu

Original comment by anbu.me...@gmail.com on 8 Jun 2010 at 12:59

Attachments:

GoogleCodeExporter commented 8 years ago 
Now i understand. You do not want to just authenticate, you want the whole 
"oauth dance". I don't have that in my code. I can only use tokens you already 
got. 

I am going to work on this, but it will be a while. If you need that kind of 
code, you should download the open source oauth library, that one provides you 
with this.

Original comment by fman...@gmail.com on 22 Jun 2010 at 9:20