Hi Erick, I've got another data point for further consideration. If after I fetch a new access token I don't try to use it for a while (like 10 minutes) when I come back to my computer and try to fetch data with it again I get the data instead of the 403 Forbidden Error. I haven't changed anything, when first fetching the token and attempting to get the data I hit refresh in my browser and it gives me the 403, I leave the browser open and return a little later and hit refresh again and it gives me the data...
Shawn On Mon, Oct 6, 2008 at 3:45 PM, Shawn Kessler <[EMAIL PROTECTED]> wrote: > Hi Erick, > > Thx for the suggestions. I've rewritten the code so that it only includes > the OAuth parameters in the header but I still received the 401 error. So I > used the the playground you linked to get an access token from your system. > Once I got an access token I copied from the playground application to my > application and was successfully able to fetch the requested data. At that > point I was certain there must be something wrong with the token I've been > saving. As it turns out I was escaping the token twice so / became %2F and > then %252F and really was an invalid token. However now that I've fixed that > little problem I get a new problem. I now get a 403 Forbidden Error (with no > OAuth specific error message returned in the response). Can you tell me what > conditions might cause your system to respond with a 403? > > The full error message with the 403 is: > > HTTP/1.1 403 Forbidden > Content-Type: text/plain; charset=UTF-8 > Transfer-Encoding: chunked > Date: Mon, 06 Oct 2008 22:32:52 GMT > Expires: Mon, 06 Oct 2008 22:32:52 GMT > Cache-Control: private, max-age=0 > Set-Cookie: S=weaver=xPHtYk1ZCLY; Domain=.google.com; Path=/ > Server: GFE/1.3 > > Oops an error has occured. > > Please include the following information in your error report: > > > AP52v_QbMeK9WKvER86KzJwDJnBeSAZpz6ITTJJn2oDzeC4dzOnMbW07pHj1tUakTPnqxRwRDT_x0_Z3-bYKgT7Rf4PwND-92IMdogyz2gJLKtsMfW9oeO79dhH-GlDKfryeFd1gJlC1TnfGCXNqwYv8KDgLTpw_p9HMIvaOwHA4AGRi9Qy0kLYpY99CuVnoiar1cG-P_TeLwNTU3RgzOFPrnaXCq2OSUQkg2fX7TCNAn9lFM4YwjxSJcMN19OjnuBxV6qCk5poNHwtochcP7SPBS9JpxiGuTlVui9Vf-WTQFvcwBLbdNLzI0r_e8PeR-AMA0IQ_E5-S3GDEJWXlKPm2_g4B0nRx4-iLX0LOun4SOIfwzq3YSllyRB-MDugEi4Y0TT8NYl_dDEt1oLDmTn7GhjL7HMQNV5FP3WDCldLZXrazodR65cvz2of7qUoUf6kFFTLugHB2du7pqNFjnxH-5i1orPgRIxy3xk4okTs0TPcl8nmjDGnzKuMl580E1tu9ZrAhaaHX_qGOIFB6886PRyBpiWXvbuF2ioAEEDXMGT3IXoNDKqL0-ESAP47PMMr5Ko6-pG0Uxhm99K0mhYyYtqtOHdDRYPERlU47xJT5E2rr4cwZ-pB4kgUlSGOmWdVWanpipdLN2JCkbKUk6CbN110TO977B--4J9HeBnVcG1CCmxzZnW1NfL0oW7SLpzPeHqspETD1-8oTwgCskaJu6c1IhFHtgl8QlsmL5LIABO8tBDwrcJ6KoU148K0umkWBUGRDp_nw0KQOrNgmm_Nvzvql2YvF9jpWT1aqmmNBA2xDhbaODMgqDWpfz-AuzQelSCXcKCkL6zBCujnxDTjy9UxsG-ZzUxXRuJkV29dxkC1cz2s2V3MwlbhFdbs6MqMXabhpxjBKqti5B1zkz9OTwuSxA1rATBrXcJyBPl5KbrykOw94D6vkDz2BrtJcDEKdygpYGSWIqlVeRAwno350VHj-NNPPh8n9vbV5HMSEzEOXzxVtnsOZ2XSbUvsrQda5eooHsLBZmDJD7K4YZWKvo1FUnqblCHsYPPYs5hcjmXpi69sbVwFmmgPBZxbvengvFgzFKSvPkeaE21_xFHkVjddvB-PCl4spQpgxQy4zmDiVMqS65n7hKD5jq7jCCAGnnGt7FUIn3UjGTKkFHTzeSnYNkyTtFZ5RITNZEHKub4UAiqZ8RFvlkhWJ8KOKhnpd5zxKuE2Ku7zYmvzCwCVk-UDfgGdYUaHQGwMEg0GEDTPysXPy4j3O3keGKTgx3gOL6zsS0CyJqqSJgq5XbfSwxt4R4ZtjlnDypnbrgnzdLnRhpRHWrO6gg8rGuQVd8AQnm3UQJTiysfFmP4G6zHbnSSQf0OVzVDfYxlPadEVvgmwLMygedNaVcEWMLp1XYMjVHkvj7oA1kLLI45XP9croamaCkU2Ajh5hy5MlZvcaCEP1naM6SYo= > > > > On Sun, Oct 5, 2008 at 7:19 PM, Eric (Google) <[EMAIL PROTECTED]> wrote: > >> >> Hi Shawn, >> >> Are you still receiving 401's when querying the profiles feed? >> >> This may be an issue with your request and base string >> not matching. I see you're sending the oauth_* parameters >> in the Authorization header AND the query string. >> Try using one or the other, but I recommend the Authorization >> header. Your request would become: >> >> GET /h9/feeds/profile/default/-/medication >> Authorization OAuth ... >> >> You can also test using the OAuth Playground to >> help verify your base string and headers: >> http://googlecodesamples.com/oauth_playground/ >> >> Note: change the oauth_consumer_key to your own >> domain and enter your own private key by clicking >> 'use your own private key' >> >> Regarding the AuthSub realm: >> This is a known issue across all of the Google Data APIs >> and we're working on getting that error message >> updated--so you can ignore it. I assure you the request >> is hitting the OAuth handler. >> >> Eric >> >> On Oct 3, 2:07 pm, Shawn Kessler <[EMAIL PROTECTED]> wrote: >> > It's probably also important to note that my access token was >> > authorized for scope=https://www.google.com/h9/feeds/ >> > >> > Thanks again, >> > Shawn >> > >> > On Oct 3, 12:11 pm, "Shawn Kessler" <[EMAIL PROTECTED]> wrote: >> > >> > > One difference I noticed is that I wasn't including the oauth_version >> in my >> > > request. I've added that and have the same results. So now I have the >> > > following request: >> > >> > >https://www.google.com/h9/feeds/profile/default/-/medication?oauth_to. >> .. >> > >> > > And my header is: >> > > GET >> > > >> /h9/feeds/profile/default/-/medication?oauth_token=1%252FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro&oauth_consumer_key= >> www.pharmasurveyor.com >> > > >> &oauth_signature_method=RSA-SHA1&oauth_timestamp=1223060790&oauth_nonce=171594414794547&oauth_version=1.0&oauth_signature=qV1dkOSmzesJDe2CjITM9%2BzLH%2FLLbYkutNwT0BpVX%2BZfC7iljnFANyooi%2FIaKot5mYQNpPNVlexNKj4%2BNPurreaZ20BBA%2FzIZMXxRKPLMRGUr%2Fa2dxyHMRpEypTQ8WO8D%2FIal%2FHWQuZrxklBI7YeE7rPgTFiT97sAOOvsxUCTUM%3D >> > > Authorization: OAuth >> > > oauth_token="1%252FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro", >> > > oauth_consumer_key="www.pharmasurveyor.com", >> > > oauth_signature_method="RSA-SHA1", oauth_timestamp="1223060790", >> > > oauth_nonce="171594414794547", oauth_version="1.0", >> > > >> oauth_signature="qV1dkOSmzesJDe2CjITM9%2BzLH%2FLLbYkutNwT0BpVX%2BZfC7iljnFANyooi%2FIaKot5mYQNpPNVlexNKj4%2BNPurreaZ20BBA%2FzIZMXxRKPLMRGUr%2Fa2dxyHMRpEypTQ8WO8D%2FIal%2FHWQuZrxklBI7YeE7rPgTFiT97sAOOvsxUCTUM%3D" >> > > User-Agent: Jakarta Commons-HttpClient/3.1 >> > > Host:www.google.com >> > >> > > to which Google is responding with: >> > > HTTP/1.1 401 Token invalid - Invalid AuthSub token. >> > > WWW-Authenticate: AuthSub realm=" >> http://www.google.com/accounts/AuthSubRequest"; >> > > Content-Type: text/html; charset=UTF-8 >> > > Date: Fri, 03 Oct 2008 19:07:44 GMT >> > > Expires: Fri, 03 Oct 2008 19:07:44 GMT >> > > Cache-Control: private, max-age=0 >> > > Content-Length: 199 >> > > Set-Cookie: S=weaver=7oYjORQ5cZc; Domain=.google.com; Path=/ >> > > Server: GFE/1.3 >> > >> > > Do I need to set the realm to something specific in my header to use >> OAuth? >> > > I don't see that mentioned in the documentation anywhere but it still >> looks >> > > like my request keeps getting handled by the AuthSub request handler >> instead >> > > of the OAuth request handler. >> > >> > > Thanks again for any help. >> > >> > > Shawn >> > >> > > On Fri, Oct 3, 2008 at 9:30 AM, Shawn Kessler <[EMAIL PROTECTED]> >> wrote: >> > > > Thanks for the help Erick. This project had been put on hold but I'm >> back >> > > > to it now. I successfully registered the domain with h9 and can now >> get an >> > > > OAuth Access token. However I haven't been able to successfully >> request any >> > > > data with that token so I'm back looking for more help. I go through >> the >> > > > token exchange process and this is the final response I get from h9 >> (during >> > > > token exchange): >> > >> > > > >> oauth_token=1%2FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro&oauth_token_secret=BJzcOyqnDYQNK%2BqhKySzGHga >> > >> > > > At this point I look in my h9 test user profile and see that my >> account has >> > > > been successfully linked. >> > >> > > > Now when I create a request for data like so: >> > >> > > > >> https://www.google.com/h9/feeds/profile/default/-/medication?oauth_to... >> > >> > > > h9 responds with: >> > > > HTTP/1.1 401 Token invalid - Invalid AuthSub token. >> > > > WWW-Authenticate: AuthSub realm=" >> > > >http://www.google.com/accounts/AuthSubRequest"; >> > > > Content-Type: text/html; charset=UTF-8 >> > > > Date: Fri, 03 Oct 2008 16:10:19 GMT >> > > > Expires: Fri, 03 Oct 2008 16:10:19 GMT >> > > > Cache-Control: private, max-age=0 >> > > > Content-Length: 199 >> > > > Set-Cookie: S=weaver=7OP11q2-f5c; Domain=.google.com; Path=/ >> > > > Server: GFE/1.3 >> > >> > > > What's not 100% clear to me is if Google fully supports OAuth (from >> token >> > > > creation all the way through making requests for data) or if I can >> only use >> > > > the OAuth implementation to get the token but then have to revert to >> AuthSub >> > > > style requests for data (with the token I got via OAuth). >> > >> > > > I'm not sure what else to do, the code I'm using has worked >> successfully >> > > > with another OAuth provider and I don't appear to have any way from >> my test >> > > > user account to see what value Google has for my token (would this >> be a >> > > > useful debugging capability in h9?). Should I be using a different >> URL when >> > > > requesting data via OAuth; the error message makes it sound like >> Google is >> > > > expecting the parameters to be formatted in a manner that AuthSub >> > > > understands which may not be the same as how OAuth wants them >> formattted. >> > > > Any help or suggestions here would be greatly appreciated. >> > >> > > > Shawn >> > >> > > > On Mon, Aug 25, 2008 at 1:33 PM, Eric (Google) <[EMAIL PROTECTED] >> >wrote: >> > >> > > >> Hi Shawn, >> > >> > > >> Great questions. We currently don't have OAuth documented >> > > >> for the Health API, so I'll try and answer your questions here. >> > >> > > >> On Aug 25, 10:34 am, Shawn Kessler <[EMAIL PROTECTED]> wrote: >> > > >> > Hello, >> > >> > > >> > I'm currently trying to use the OAuth authentication with Google >> > > >> > Health. I've done steps one through three that Jerry posted >> (http:// >> > > >> > >> groups.google.com/group/googlehealthdevelopers/browse_thread/thread/ >> > > >> > aa2482e8c76a84a7) but step >> > > >> > four has stumped me. All of the documentation I can find on how >> to use >> > > >> > h9 seems to only directly apply to the SubAuth authentication >> with >> > > >> > little notes about OAuth intermixed (notes like: "you can also >> use >> > > >> > OAuth," which aren't incredibly helpful.) Is there some >> documentation >> > > >> > that gives step by step instructions on how to use h9 in >> conjunction >> > > >> > with OAuth? If not, perhaps my question can be answered here. As >> of >> > > >> > right now I have two domains registered on the "regular" Google >> site. >> > > >> > The domains are registered, verified and my certificate has been >> > > >> > uploaded. I have a Java app running in Tomcat that is making a >> > > >> > successful request tohttps:// >> > > >>www.google.com/accounts/OAuthGetRequestToken?... >> > > >> > scope=http%3A%2F%2Fwww.google.com >> %2Fh9%2Ffeeds%2Fprofile%2Fdefault >> > >> > > >> You should use a broader scope, and for HTTPS: >> > > >>https://www.google.com/h9/feeds/ >> > >> > > >> For example, if you usehttps:// >> www.google.com/h9/feeds/profile/default, >> > > >> your application won't be able to POST notices at >> > > >>https://www.google.com/h9/feeds/register/default >> > >> > > >> > This request is returning successfully and eventually I'm >> redirected >> > > >> > to the weaver login page. When I login (with the account that has >> been >> > > >> > approved for testing) the browser displays an error page that >> says: >> > >> > > >> > Error >> > > >> > Invalid Usage >> > > >> > Sharing denied: unregistered provider domain:www.mydomain.com >> > >> > > >> > I'm assuming the problem is that my domain isn't registered on >> weaver, >> > > >> > only on the real site. So two questions. 1) When testing on h9 >> should >> > > >> > I be using this URL: >> > > >>https://www.google.com/accounts/OAuthGetRequestToken >> > > >> > or should I be using something more likehttps:// >> > > >>www.google.com/h9/accounts/OAuthGetRequestToken >> > > >> > and 2) where do I register my domains so that they work on weaver >> or >> > > >> > do I have to usehttp://localhost?IfIhave to use localhost then I >> > > >> > have a bunch of other questions but I'll wait for your initial >> answers >> > > >> > before going there. >> > >> > > >> 1.) You should use >> https://www.google.com/accounts/OAuthGetRequestToken, >> > > >> OAuthAuthorizeToken, and OAuthGetAccessToken for the token >> endpoints. >> > > >> You'll automatically be redirected from OAuthAuthorizeToken to >> > > >> Health's >> > > >> special oauth handler >> > > >> athttps://www.google.com/(h9|health)/oauth<http://www.google.com/%28h9%7Chealth%29/oauth> >> <https://www.google.com/%28h9%7Chealth%29/oauth> >> > >> > > >> 2.) The Health API has an additional registration process. >> > > >> Send an email to [EMAIL PROTECTED] and include a list >> of >> > > >> the subdomains you plan to use. >> > >> > > >> > For the sake of testing my own theory I changed my code to use >> the >> > > >> > real google health feed instead: >> > > >>https://www.google.com/accounts/OAuthGetRequestToken?... >> > > >> > scope=http%3A%2F%2Fwww.google.com >> %2Fhealth%2Ffeeds%2Fprofile%2Fdefault >> > >> > > >> > This resulted in the exact same behavior (Invalid Usage error). >> > >> > > >> > I double checked my domains and they are registered with enhanced >> > > >> > security and I followed the steps here: >> > > >> >> http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.... >> > > >> > including step 5 (Test your registration status.), which >> succeeded. >> > >> > > >> You have to be white-listed for API calls to /health, so only use >> /h9 >> > > >> URIs for now. >> > >> > > >> > If I change my oauth_consumer_key value >> fromwww.mydomain.comtoabad >> > > >> > domain namewww.baddomain.comthenInever reach the login page (I >> get >> > > >> > a bad oauth_consumer_key error before even getting the chance to >> > > >> > login). So I feel confident that the authentication process is >> > > >> > recognizing my domain but for some reason the domain isn't fully >> > > >> > registered to be used with Google Health. I'm not sure what to do >> to >> > > >> > fix this. >> > >> > > >> > As reference I've read through these two pages: >> > > >> >> http://code.google.com/apis/accounts/docs/OAuth.htmlhttp://code.googl... >> .. >> > > >> .. >> > >> > > >> > Thanks for you help, >> > > >> > Shawn >> > >> > > > -- >> > > > Hate is baggage. >> > >> > > >http://www.robynkesslerphotography.com >> > >> > > -- >> > > Hate is baggage. >> > >> > >http://www.robynkesslerphotography.com >> >> >> > > > -- > Hate is baggage. > > http://www.robynkesslerphotography.com > -- Hate is baggage. http://www.robynkesslerphotography.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en -~----------~----~----~----~------~----~------~--~---
