I think I've solved the problem. When I reach the confirm linking account page when using my application I get the following message: You are preparing to give *www.pharmasurveyor.com* ongoing access to send information to your profile. If you decide to link accounts, www.pharmasurveyor.com will *not* be able to see information in your profile, but it will be able to send updates unless you decide to unlink the accounts.
When I use the playground I get a different message: You are preparing to give *www.pharmasurveyor.com* ongoing access to read your *entire* profile and send information to it. If you decide to link accounts, your profile will continue to be shared with www.pharmasurveyor.com unless you decide to unlink the accounts. So I took a look at the authorization url the playground uses and noticed that it has permission=1 tacked onto the end of the URL. Looking at the documentation here: http://code.google.com/apis/accounts/docs/OAuth.html I can't find any reference to what this parameter does. I also looked here: http://code.google.com/apis/accounts/docs/AuthSub.html but again came up empty handed. Is there documentation somewhere that explains that parameter? I added permission=1 to the end of my authorization URL and my app works as expected and all is well in the world. Perhaps the documentation needs to be updated to clarify what the parameter is and how it is used. I suspect there may be a bug in your system that is changing the permissions on *all *tokens associated with a service when permission=1 is used to create a new token. Shawn On Tue, Oct 7, 2008 at 10:50 AM, Shawn Kessler <[EMAIL PROTECTED]> wrote: > Hi Erick, > > The timing thing is wrong. What really happened is the following: > > In my app I request an access token and save it. > When I use it to request data I get a 403 Forbidden Response from Google > Then I go to the play ground and request an access token (without ever > revoking the one I got from my app) > Now when I request data using my token requested from my app (not the one > from the playground) I get the data instead of the 403 > > Yesterday I probably played around in the playground for ten minutes then > went back and hit refresh in my app and assumed it was a timing thing as > opposed to something the playground did, but I've done this multiple times > today and as soon as I get a token from the playground my other token > becomes valid as well. > > So something that the playground is doing is making my token (generated in > a different app) valid. > > I can't find anything in the documentation that says I need to do something > after receiving my access token and before requesting data so I'm clueless > as to what it is the playground could possibly be doing, and even if there > was a step between getting the access token and using it I wouldn't think > that process would affect all tokens currently out for the user; I'd expect > it to only do what ever it is doing on the token it just received. > > Shawn > > > On Mon, Oct 6, 2008 at 4:38 PM, Shawn Kessler <[EMAIL PROTECTED]> wrote: > >> Hi Erick, >> >> I've got another data point for further consideration. If after I fetch a >> new access token I don't try to use it for a while (like 10 minutes) when I >> come back to my computer and try to fetch data with it again I get the data >> instead of the 403 Forbidden Error. I haven't changed anything, when first >> fetching the token and attempting to get the data I hit refresh in my >> browser and it gives me the 403, I leave the browser open and return a >> little later and hit refresh again and it gives me the data... >> >> Shawn >> >> >> On Mon, Oct 6, 2008 at 3:45 PM, Shawn Kessler <[EMAIL PROTECTED]> wrote: >> >>> Hi Erick, >>> >>> Thx for the suggestions. I've rewritten the code so that it only includes >>> the OAuth parameters in the header but I still received the 401 error. So I >>> used the the playground you linked to get an access token from your system. >>> Once I got an access token I copied from the playground application to my >>> application and was successfully able to fetch the requested data. At that >>> point I was certain there must be something wrong with the token I've been >>> saving. As it turns out I was escaping the token twice so / became %2F and >>> then %252F and really was an invalid token. However now that I've fixed that >>> little problem I get a new problem. I now get a 403 Forbidden Error (with no >>> OAuth specific error message returned in the response). Can you tell me what >>> conditions might cause your system to respond with a 403? >>> >>> The full error message with the 403 is: >>> >>> HTTP/1.1 403 Forbidden >>> Content-Type: text/plain; charset=UTF-8 >>> Transfer-Encoding: chunked >>> Date: Mon, 06 Oct 2008 22:32:52 GMT >>> Expires: Mon, 06 Oct 2008 22:32:52 GMT >>> Cache-Control: private, max-age=0 >>> Set-Cookie: S=weaver=xPHtYk1ZCLY; Domain=.google.com; Path=/ >>> Server: GFE/1.3 >>> >>> Oops an error has occured. >>> >>> Please include the following information in your error report: >>> >>> >>> AP52v_QbMeK9WKvER86KzJwDJnBeSAZpz6ITTJJn2oDzeC4dzOnMbW07pHj1tUakTPnqxRwRDT_x0_Z3-bYKgT7Rf4PwND-92IMdogyz2gJLKtsMfW9oeO79dhH-GlDKfryeFd1gJlC1TnfGCXNqwYv8KDgLTpw_p9HMIvaOwHA4AGRi9Qy0kLYpY99CuVnoiar1cG-P_TeLwNTU3RgzOFPrnaXCq2OSUQkg2fX7TCNAn9lFM4YwjxSJcMN19OjnuBxV6qCk5poNHwtochcP7SPBS9JpxiGuTlVui9Vf-WTQFvcwBLbdNLzI0r_e8PeR-AMA0IQ_E5-S3GDEJWXlKPm2_g4B0nRx4-iLX0LOun4SOIfwzq3YSllyRB-MDugEi4Y0TT8NYl_dDEt1oLDmTn7GhjL7HMQNV5FP3WDCldLZXrazodR65cvz2of7qUoUf6kFFTLugHB2du7pqNFjnxH-5i1orPgRIxy3xk4okTs0TPcl8nmjDGnzKuMl580E1tu9ZrAhaaHX_qGOIFB6886PRyBpiWXvbuF2ioAEEDXMGT3IXoNDKqL0-ESAP47PMMr5Ko6-pG0Uxhm99K0mhYyYtqtOHdDRYPERlU47xJT5E2rr4cwZ-pB4kgUlSGOmWdVWanpipdLN2JCkbKUk6CbN110TO977B--4J9HeBnVcG1CCmxzZnW1NfL0oW7SLpzPeHqspETD1-8oTwgCskaJu6c1IhFHtgl8QlsmL5LIABO8tBDwrcJ6KoU148K0umkWBUGRDp_nw0KQOrNgmm_Nvzvql2YvF9jpWT1aqmmNBA2xDhbaODMgqDWpfz-AuzQelSCXcKCkL6zBCujnxDTjy9UxsG-ZzUxXRuJkV29dxkC1cz2s2V3MwlbhFdbs6MqMXabhpxjBKqti5B1zkz9OTwuSxA1rATBrXcJyBPl5KbrykOw94D6vkDz2BrtJcDEKdygpYGSWIqlVeRAwno350VHj-NNPPh8n9vbV5HMSEzEOXzxVtnsOZ2XSbUvsrQda5eooHsLBZmDJD7K4YZWKvo1FUnqblCHsYPPYs5hcjmXpi69sbVwFmmgPBZxbvengvFgzFKSvPkeaE21_xFHkVjddvB-PCl4spQpgxQy4zmDiVMqS65n7hKD5jq7jCCAGnnGt7FUIn3UjGTKkFHTzeSnYNkyTtFZ5RITNZEHKub4UAiqZ8RFvlkhWJ8KOKhnpd5zxKuE2Ku7zYmvzCwCVk-UDfgGdYUaHQGwMEg0GEDTPysXPy4j3O3keGKTgx3gOL6zsS0CyJqqSJgq5XbfSwxt4R4ZtjlnDypnbrgnzdLnRhpRHWrO6gg8rGuQVd8AQnm3UQJTiysfFmP4G6zHbnSSQf0OVzVDfYxlPadEVvgmwLMygedNaVcEWMLp1XYMjVHkvj7oA1kLLI45XP9croamaCkU2Ajh5hy5MlZvcaCEP1naM6SYo= >>> >>> >>> >>> On Sun, Oct 5, 2008 at 7:19 PM, Eric (Google) <[EMAIL PROTECTED]>wrote: >>> >>>> >>>> Hi Shawn, >>>> >>>> Are you still receiving 401's when querying the profiles feed? >>>> >>>> This may be an issue with your request and base string >>>> not matching. I see you're sending the oauth_* parameters >>>> in the Authorization header AND the query string. >>>> Try using one or the other, but I recommend the Authorization >>>> header. Your request would become: >>>> >>>> GET /h9/feeds/profile/default/-/medication >>>> Authorization OAuth ... >>>> >>>> You can also test using the OAuth Playground to >>>> help verify your base string and headers: >>>> http://googlecodesamples.com/oauth_playground/ >>>> >>>> Note: change the oauth_consumer_key to your own >>>> domain and enter your own private key by clicking >>>> 'use your own private key' >>>> >>>> Regarding the AuthSub realm: >>>> This is a known issue across all of the Google Data APIs >>>> and we're working on getting that error message >>>> updated--so you can ignore it. I assure you the request >>>> is hitting the OAuth handler. >>>> >>>> Eric >>>> >>>> On Oct 3, 2:07 pm, Shawn Kessler <[EMAIL PROTECTED]> wrote: >>>> > It's probably also important to note that my access token was >>>> > authorized for scope=https://www.google.com/h9/feeds/ >>>> > >>>> > Thanks again, >>>> > Shawn >>>> > >>>> > On Oct 3, 12:11 pm, "Shawn Kessler" <[EMAIL PROTECTED]> wrote: >>>> > >>>> > > One difference I noticed is that I wasn't including the >>>> oauth_version in my >>>> > > request. I've added that and have the same results. So now I have >>>> the >>>> > > following request: >>>> > >>>> > > >>>> https://www.google.com/h9/feeds/profile/default/-/medication?oauth_to. >>>> .. >>>> > >>>> > > And my header is: >>>> > > GET >>>> > > >>>> /h9/feeds/profile/default/-/medication?oauth_token=1%252FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro&oauth_consumer_key= >>>> www.pharmasurveyor.com >>>> > > >>>> &oauth_signature_method=RSA-SHA1&oauth_timestamp=1223060790&oauth_nonce=171594414794547&oauth_version=1.0&oauth_signature=qV1dkOSmzesJDe2CjITM9%2BzLH%2FLLbYkutNwT0BpVX%2BZfC7iljnFANyooi%2FIaKot5mYQNpPNVlexNKj4%2BNPurreaZ20BBA%2FzIZMXxRKPLMRGUr%2Fa2dxyHMRpEypTQ8WO8D%2FIal%2FHWQuZrxklBI7YeE7rPgTFiT97sAOOvsxUCTUM%3D >>>> > > Authorization: OAuth >>>> > > oauth_token="1%252FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro", >>>> > > oauth_consumer_key="www.pharmasurveyor.com", >>>> > > oauth_signature_method="RSA-SHA1", oauth_timestamp="1223060790", >>>> > > oauth_nonce="171594414794547", oauth_version="1.0", >>>> > > >>>> oauth_signature="qV1dkOSmzesJDe2CjITM9%2BzLH%2FLLbYkutNwT0BpVX%2BZfC7iljnFANyooi%2FIaKot5mYQNpPNVlexNKj4%2BNPurreaZ20BBA%2FzIZMXxRKPLMRGUr%2Fa2dxyHMRpEypTQ8WO8D%2FIal%2FHWQuZrxklBI7YeE7rPgTFiT97sAOOvsxUCTUM%3D" >>>> > > User-Agent: Jakarta Commons-HttpClient/3.1 >>>> > > Host:www.google.com >>>> > >>>> > > to which Google is responding with: >>>> > > HTTP/1.1 401 Token invalid - Invalid AuthSub token. >>>> > > WWW-Authenticate: AuthSub realm=" >>>> http://www.google.com/accounts/AuthSubRequest"; >>>> > > Content-Type: text/html; charset=UTF-8 >>>> > > Date: Fri, 03 Oct 2008 19:07:44 GMT >>>> > > Expires: Fri, 03 Oct 2008 19:07:44 GMT >>>> > > Cache-Control: private, max-age=0 >>>> > > Content-Length: 199 >>>> > > Set-Cookie: S=weaver=7oYjORQ5cZc; Domain=.google.com; Path=/ >>>> > > Server: GFE/1.3 >>>> > >>>> > > Do I need to set the realm to something specific in my header to use >>>> OAuth? >>>> > > I don't see that mentioned in the documentation anywhere but it >>>> still looks >>>> > > like my request keeps getting handled by the AuthSub request handler >>>> instead >>>> > > of the OAuth request handler. >>>> > >>>> > > Thanks again for any help. >>>> > >>>> > > Shawn >>>> > >>>> > > On Fri, Oct 3, 2008 at 9:30 AM, Shawn Kessler <[EMAIL PROTECTED]> >>>> wrote: >>>> > > > Thanks for the help Erick. This project had been put on hold but >>>> I'm back >>>> > > > to it now. I successfully registered the domain with h9 and can >>>> now get an >>>> > > > OAuth Access token. However I haven't been able to successfully >>>> request any >>>> > > > data with that token so I'm back looking for more help. I go >>>> through the >>>> > > > token exchange process and this is the final response I get from >>>> h9 (during >>>> > > > token exchange): >>>> > >>>> > > > >>>> oauth_token=1%2FtpyFG2wRxCue1KA8RmQTMQwS51WsrmNKmhHfTNxEWro&oauth_token_secret=BJzcOyqnDYQNK%2BqhKySzGHga >>>> > >>>> > > > At this point I look in my h9 test user profile and see that my >>>> account has >>>> > > > been successfully linked. >>>> > >>>> > > > Now when I create a request for data like so: >>>> > >>>> > > > >>>> https://www.google.com/h9/feeds/profile/default/-/medication?oauth_to. >>>> .. >>>> > >>>> > > > h9 responds with: >>>> > > > HTTP/1.1 401 Token invalid - Invalid AuthSub token. >>>> > > > WWW-Authenticate: AuthSub realm=" >>>> > > >http://www.google.com/accounts/AuthSubRequest"; >>>> > > > Content-Type: text/html; charset=UTF-8 >>>> > > > Date: Fri, 03 Oct 2008 16:10:19 GMT >>>> > > > Expires: Fri, 03 Oct 2008 16:10:19 GMT >>>> > > > Cache-Control: private, max-age=0 >>>> > > > Content-Length: 199 >>>> > > > Set-Cookie: S=weaver=7OP11q2-f5c; Domain=.google.com; Path=/ >>>> > > > Server: GFE/1.3 >>>> > >>>> > > > What's not 100% clear to me is if Google fully supports OAuth >>>> (from token >>>> > > > creation all the way through making requests for data) or if I can >>>> only use >>>> > > > the OAuth implementation to get the token but then have to revert >>>> to AuthSub >>>> > > > style requests for data (with the token I got via OAuth). >>>> > >>>> > > > I'm not sure what else to do, the code I'm using has worked >>>> successfully >>>> > > > with another OAuth provider and I don't appear to have any way >>>> from my test >>>> > > > user account to see what value Google has for my token (would this >>>> be a >>>> > > > useful debugging capability in h9?). Should I be using a different >>>> URL when >>>> > > > requesting data via OAuth; the error message makes it sound like >>>> Google is >>>> > > > expecting the parameters to be formatted in a manner that AuthSub >>>> > > > understands which may not be the same as how OAuth wants them >>>> formattted. >>>> > > > Any help or suggestions here would be greatly appreciated. >>>> > >>>> > > > Shawn >>>> > >>>> > > > On Mon, Aug 25, 2008 at 1:33 PM, Eric (Google) < >>>> [EMAIL PROTECTED]>wrote: >>>> > >>>> > > >> Hi Shawn, >>>> > >>>> > > >> Great questions. We currently don't have OAuth documented >>>> > > >> for the Health API, so I'll try and answer your questions here. >>>> > >>>> > > >> On Aug 25, 10:34 am, Shawn Kessler <[EMAIL PROTECTED]> wrote: >>>> > > >> > Hello, >>>> > >>>> > > >> > I'm currently trying to use the OAuth authentication with >>>> Google >>>> > > >> > Health. I've done steps one through three that Jerry posted >>>> (http:// >>>> > > >> > >>>> groups.google.com/group/googlehealthdevelopers/browse_thread/thread/ >>>> > > >> > aa2482e8c76a84a7) but step >>>> > > >> > four has stumped me. All of the documentation I can find on how >>>> to use >>>> > > >> > h9 seems to only directly apply to the SubAuth authentication >>>> with >>>> > > >> > little notes about OAuth intermixed (notes like: "you can also >>>> use >>>> > > >> > OAuth," which aren't incredibly helpful.) Is there some >>>> documentation >>>> > > >> > that gives step by step instructions on how to use h9 in >>>> conjunction >>>> > > >> > with OAuth? If not, perhaps my question can be answered here. >>>> As of >>>> > > >> > right now I have two domains registered on the "regular" Google >>>> site. >>>> > > >> > The domains are registered, verified and my certificate has >>>> been >>>> > > >> > uploaded. I have a Java app running in Tomcat that is making a >>>> > > >> > successful request tohttps:// >>>> > > >>www.google.com/accounts/OAuthGetRequestToken?... >>>> > > >> > scope=http%3A%2F%2Fwww.google.com >>>> %2Fh9%2Ffeeds%2Fprofile%2Fdefault >>>> > >>>> > > >> You should use a broader scope, and for HTTPS: >>>> > > >>https://www.google.com/h9/feeds/ >>>> > >>>> > > >> For example, if you usehttps:// >>>> www.google.com/h9/feeds/profile/default, >>>> > > >> your application won't be able to POST notices at >>>> > > >>https://www.google.com/h9/feeds/register/default >>>> > >>>> > > >> > This request is returning successfully and eventually I'm >>>> redirected >>>> > > >> > to the weaver login page. When I login (with the account that >>>> has been >>>> > > >> > approved for testing) the browser displays an error page that >>>> says: >>>> > >>>> > > >> > Error >>>> > > >> > Invalid Usage >>>> > > >> > Sharing denied: unregistered provider domain:www.mydomain.com >>>> > >>>> > > >> > I'm assuming the problem is that my domain isn't registered on >>>> weaver, >>>> > > >> > only on the real site. So two questions. 1) When testing on h9 >>>> should >>>> > > >> > I be using this URL: >>>> > > >>https://www.google.com/accounts/OAuthGetRequestToken >>>> > > >> > or should I be using something more likehttps:// >>>> > > >>www.google.com/h9/accounts/OAuthGetRequestToken >>>> > > >> > and 2) where do I register my domains so that they work on >>>> weaver or >>>> > > >> > do I have to usehttp://localhost?IfIhave to use localhost then >>>> I >>>> > > >> > have a bunch of other questions but I'll wait for your initial >>>> answers >>>> > > >> > before going there. >>>> > >>>> > > >> 1.) You should use >>>> https://www.google.com/accounts/OAuthGetRequestToken, >>>> > > >> OAuthAuthorizeToken, and OAuthGetAccessToken for the token >>>> endpoints. >>>> > > >> You'll automatically be redirected from OAuthAuthorizeToken to >>>> > > >> Health's >>>> > > >> special oauth handler >>>> > > >> athttps://www.google.com/(h9|health)/oauth<http://www.google.com/%28h9%7Chealth%29/oauth> >>>> <https://www.google.com/%28h9%7Chealth%29/oauth> >>>> > >>>> > > >> 2.) The Health API has an additional registration process. >>>> > > >> Send an email to [EMAIL PROTECTED] and include a >>>> list of >>>> > > >> the subdomains you plan to use. >>>> > >>>> > > >> > For the sake of testing my own theory I changed my code to use >>>> the >>>> > > >> > real google health feed instead: >>>> > > >>https://www.google.com/accounts/OAuthGetRequestToken?... >>>> > > >> > scope=http%3A%2F%2Fwww.google.com >>>> %2Fhealth%2Ffeeds%2Fprofile%2Fdefault >>>> > >>>> > > >> > This resulted in the exact same behavior (Invalid Usage error). >>>> > >>>> > > >> > I double checked my domains and they are registered with >>>> enhanced >>>> > > >> > security and I followed the steps here: >>>> > > >> >>>> http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.. >>>> .. >>>> > > >> > including step 5 (Test your registration status.), which >>>> succeeded. >>>> > >>>> > > >> You have to be white-listed for API calls to /health, so only use >>>> /h9 >>>> > > >> URIs for now. >>>> > >>>> > > >> > If I change my oauth_consumer_key value >>>> fromwww.mydomain.comtoabad >>>> > > >> > domain namewww.baddomain.comthenInever reach the login page (I >>>> get >>>> > > >> > a bad oauth_consumer_key error before even getting the chance >>>> to >>>> > > >> > login). So I feel confident that the authentication process is >>>> > > >> > recognizing my domain but for some reason the domain isn't >>>> fully >>>> > > >> > registered to be used with Google Health. I'm not sure what to >>>> do to >>>> > > >> > fix this. >>>> > >>>> > > >> > As reference I've read through these two pages: >>>> > > >> >>>> http://code.google.com/apis/accounts/docs/OAuth.htmlhttp://code.googl... >>>> .. >>>> > > >> .. >>>> > >>>> > > >> > Thanks for you help, >>>> > > >> > Shawn >>>> > >>>> > > > -- >>>> > > > Hate is baggage. >>>> > >>>> > > >http://www.robynkesslerphotography.com >>>> > >>>> > > -- >>>> > > Hate is baggage. >>>> > >>>> > >http://www.robynkesslerphotography.com >>>> >>>> >>>> >>> >>> >>> -- >>> Hate is baggage. >>> >>> http://www.robynkesslerphotography.com >>> >> >> >> >> -- >> Hate is baggage. >> >> http://www.robynkesslerphotography.com >> > > > > -- > Hate is baggage. > > http://www.robynkesslerphotography.com > -- Hate is baggage. http://www.robynkesslerphotography.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en -~----------~----~----~----~------~----~------~--~---
