Hi Dan, Thanks a lot for posting a follow-up, and for the suggestion on refining the error message. It looks like there are three possible causes of the "401: Invalid AuthSub Signature" error, which is a missing (cannot be loaded) private key, the client system time being out of sync, and the public cert and private key being out of sync. I've primarily seen the first situation with the Java GData client libraries, and it may not affect all client libraries. For the time sync error, there presently may be a more informative error message (working to verify); although, I believe that it's still a 401 response code. The third situation seems to be the most common cause of the signature error. There unfortunately isn't a way to retrieve a public key once it has been uploaded to the Manage Domains tool. However, using the OAuth Playground, a user can include a private key when testing the OAuth linkage, so the tool can be able to test a key and cert pair.
http://googlecodesamples.com/oauth_playground/ Thanks again! Glad to hear you were able to work through the issue! Paul (Google) On Nov 24, 9:29 am, Dan Lowenthal <[email protected]> wrote: > Okay, really sorry. I had a bad cert - the public and private keys > didn't match. Still, some more feedback, rather than just a 401 > error, would be nice. Maybe this should be documented better. > > On Nov 23, 2:15 pm, Dan Lowenthal <[email protected]> wrote: > > > > > > > > > Also, the time on our server is correct. > > > On Nov 23, 1:20 pm, Dan Lowenthal <[email protected]> wrote: > > > > I'm developing an online patient portal for Clarkson Eyecare, and I am > > > having an issue with getting permanent session tokens. > > > > I am attempting to send a request > > > tohttps://www.google.com/accounts/AuthSubSessionToken > > > using an auth token I obtained from this > > > page:https://www.google.com/h9/authsub?scope=https%3A%2F%2Fwww.google.com%... > > > > (note: the "next" target is a development page - it's not open to the > > > public) > > > > I get the temporary, one-time auth token in our "next" page just fine. > > > However, every time I try to use it (and signature information) to > > > request a session token, I get an error 401. The certificate > > > associated with the private key I'm using to generate the rsa-sha1 > > > signature is definitely registered with our profile. > > > > I am using PHP to try to submit the data to AuthSubSessionToken. I > > > usedhttp://gdatatips.blogspot.com/2008/07/secure-authsub-in-php.html > > > as a reference (it is referenced in many of these forum discussions), > > > and my code does essentially the same thing. One thing I noticed was > > > that it uses md5 to generate the nonce - md5 creates 128-bit results > > > encoded in hex, NOT 64-bit base 10 integers (which the documentation > > > says it should be). That being said, using a 64-bit long doesn't seem > > > to work either. Since I can't seem to get a more descriptive error > > > message, I tried to dig through the forums to see if anyone else had > > > these same issues; if it's out there, I couldn't find it. Some people > > > got 401 errors, but they were usually either using the Java client or > > > Zend, and were usually issues finding or using the private key (which > > > I'm NOT having - the signature is generated just fine). I don't want > > > to install Zend just to do this one process that should be a fairly > > > straightforward cURL call. > > > > Here's an example Authorization header line for the data that was > > > sent: > > > Authorization: AuthSub token="<auth token>" > > > data="GEThttps://www.google.com/accounts/AuthSubSessionToken1290539269 > > > 7ee5fa7cea605049d1c49c57cf136924" sig="<signature>" sigalg="rsa-sha1" > > > with <auth token> and <signature> obviously filled in with real > > > values. > > > > Thank you in advance for your help, > > > Dan -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
