Thanks, Paul, Yeah, we used OpenSSL to generate keys both times, so I have no idea why the first pair was out of sync. Oh well. Thank you for looking into it anyway.
Dan On Nov 24, 2:52 pm, "Paul (Google)" <[email protected]> wrote: > Hi Dan, > > Thanks a lot for posting a follow-up, and for the suggestion on > refining the error message. It looks like there are three possible > causes of the "401: Invalid AuthSub Signature" error, which is a > missing (cannot be loaded) private key, the client system time being > out of sync, and the public cert and private key being out of sync. > I've primarily seen the first situation with the Java GData client > libraries, and it may not affect all client libraries. For the time > sync error, there presently may be a more informative error message > (working to verify); although, I believe that it's still a 401 > response code. The third situation seems to be the most common cause > of the signature error. There unfortunately isn't a way to retrieve a > public key once it has been uploaded to the Manage Domains tool. > However, using the OAuth Playground, a user can include a private key > when testing the OAuth linkage, so the tool can be able to test a key > and cert pair. > > http://googlecodesamples.com/oauth_playground/ > > Thanks again! Glad to hear you were able to work through the issue! > > Paul (Google) > > On Nov 24, 9:29 am, Dan Lowenthal <[email protected]> wrote: > > > Okay, really sorry. I had a bad cert - the public and private keys > > didn't match. Still, some more feedback, rather than just a 401 > > error, would be nice. Maybe this should be documented better. > > > On Nov 23, 2:15 pm, Dan Lowenthal <[email protected]> wrote: > > > > Also, the time on our server is correct. > > > > On Nov 23, 1:20 pm, Dan Lowenthal <[email protected]> wrote: > > > > > I'm developing an online patient portal for Clarkson Eyecare, and I am > > > > having an issue with getting permanent session tokens. > > > > > I am attempting to send a request > > > > tohttps://www.google.com/accounts/AuthSubSessionToken > > > > using an auth token I obtained from this > > > > page:https://www.google.com/h9/authsub?scope=https%3A%2F%2Fwww.google.com%... > > > > > (note: the "next" target is a development page - it's not open to the > > > > public) > > > > > I get the temporary, one-time auth token in our "next" page just fine. > > > > However, every time I try to use it (and signature information) to > > > > request a session token, I get an error 401. The certificate > > > > associated with the private key I'm using to generate the rsa-sha1 > > > > signature is definitely registered with our profile. > > > > > I am using PHP to try to submit the data to AuthSubSessionToken. I > > > > usedhttp://gdatatips.blogspot.com/2008/07/secure-authsub-in-php.html > > > > as a reference (it is referenced in many of these forum discussions), > > > > and my code does essentially the same thing. One thing I noticed was > > > > that it uses md5 to generate the nonce - md5 creates 128-bit results > > > > encoded in hex, NOT 64-bit base 10 integers (which the documentation > > > > says it should be). That being said, using a 64-bit long doesn't seem > > > > to work either. Since I can't seem to get a more descriptive error > > > > message, I tried to dig through the forums to see if anyone else had > > > > these same issues; if it's out there, I couldn't find it. Some people > > > > got 401 errors, but they were usually either using the Java client or > > > > Zend, and were usually issues finding or using the private key (which > > > > I'm NOT having - the signature is generated just fine). I don't want > > > > to install Zend just to do this one process that should be a fairly > > > > straightforward cURL call. > > > > > Here's an example Authorization header line for the data that was > > > > sent: > > > > Authorization: AuthSub token="<auth token>" > > > > data="GEThttps://www.google.com/accounts/AuthSubSessionToken1290539269 > > > > 7ee5fa7cea605049d1c49c57cf136924" sig="<signature>" sigalg="rsa-sha1" > > > > with <auth token> and <signature> obviously filled in with real > > > > values. > > > > > Thank you in advance for your help, > > > > Dan -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
