subdomains and 2LO - broken...?

[Jan Zawadzki / Hapara]

We can't seem to get a valid token when using 2LO in a subdomain
configuration using the parent domain auth settings and child domain
accounts:

Parent: X.COM, domain auth enabled, key X.COM, secret ABC

Child: Y.X.COM, user Z

Trying to access Docs as user Z...@Y.X.COM using the X.COM key and ABC
secret. Fails every time with 401- "Token invalid - Invalid AuthSub
token"

Can anyone point to source code that does this? Is it just not
supported?

No such limitations are mentioned on http://www.google.com/support/a/bin/answer.py?answer=182081...

Thanks!

Jan

[Jan Zawadzki / Hapara]

Note in the issue log: http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2886

Sample code that demonstrates the problem:

CON_KEY = 'Y.COM'
CON_SECRET = '####'
user = 'valid...@X.Y.COM'

import gdata.docs.client
import gdata.docs.data

dclient = gdata.docs.client.DocsClient(source='Test')
dclient.auth_token = gdata.gauth.TwoLeggedOAuthHmacToken(CON_KEY,
CON_SECRET, user)
dclient.ssl = True
print dclient.GetResources(uri='https://docs.google.com/feeds/default/
private/full/folder:root/contents')

[Jay Lee]

Hi Jan,

Try going to "Manage third party OAuth Client access" under Advanced Tools. In the "Client Name" put your full primary domain name, in the API scopes, put https://docs.google.com/feeds/. Hit Authorize and you should see it listed in the client list below.

Re-run your sample code after doing this. Manually authorizing the Docs scope should allow subdomain utilization.

Jay

[Gunjan Sharma]

Hello Jan

In order to request 2LO you have to authorize the scope as Jay said in his post. The docs list API has no readonly scope so when you authorize this scope you will give both read and write access to the users in the domain. Please let us know if this doesn't works for you.

Thanks

Gunjan Sharma

[Jan Zawadzki / Hapara]

Thanks Jay, Gunjan - will try this next!

Cheers

Jan