RE: [dotnetopenauth] Re: DNOA using OAuth 2 for getting infos from google

[Andrew Arnott]

It should work, considering Google themselves ship an OAuth2 client sample for .NET that uses DNOA underneath.  But I'll build a test and see what happens.

Sent from my Windows Phone

---

From: Fred
Sent: 7/23/2012 4:26 AM
To: dotnet...@googlegroups.com
Subject: [dotnetopenauth] Re: DNOA using OAuth 2 for getting infos from google

Any ideas?

 

Is the current implementation of DotNetOpenAuth compatible with google's implementation or is my problem due to the fact, that OAuth 2 isn't final yet ?

 

Wishes,

Manfred

Am Montag, 23. Juli 2012 00:23:00 UTC+2 schrieb Fred:

Hi,

 

I'm trying to access Infos from a google-account using DNOA and OAuth 2. I managed to receive an access_code via my callback-url but when I try to get a token for it using
ProcessUserAuthorization Google responds with a 400 Bat Request.

 

Below I place the info from the log.

 

What's wrong here?

Wishes,

Fred

 

2012-07-22 23:59:30,841 (GMT+2) [8] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing AccessTokenAuthorizationCodeRequestC (2.0) message for https://accounts.google.com/o/oauth2/token:
 code: 4/1d8s68ygIOBtte-Furt6QZPT1AFI.sqjLPoQNiZIfsNf4jSVKMpaseHphcQI
 redirect_uri: https://localhost/RP/Secure/OAuth
 grant_type: authorization_code

2012-07-22 23:59:30,841 (GMT+2) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Sending AccessTokenAuthorizationCodeRequestC request.
2012-07-22 23:59:30,841 (GMT+2) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Sending AccessTokenAuthorizationCodeRequestC request.
2012-07-22 23:59:31,512 (GMT+2) [8] DEBUG DotNetOpenAuth.Http - HTTP POST https://accounts.google.com/o/oauth2/token
2012-07-22 23:59:31,512 (GMT+2) [8] DEBUG DotNetOpenAuth.Http - HTTP POST https://accounts.google.com/o/oauth2/token
2012-07-22 23:59:32,465 (GMT+2) [8] ERROR DotNetOpenAuth.Http - WebException from https://accounts.google.com/o/oauth2/token:
{
  "error" : "invalid_request"
}

 

 

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/2u4W9KtYFUcJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[Fred]

Hi Andrew,

 

what is the URL of this sample? I just found one using a rich client but I try to use a web-client. Meenwhile I found out, that Google replies with a valid token when I construct the request by hand using fiddler, but I'm not able to make DNOA do the same.

 

I also place my solution, which is - as I seem - pretty Close to the DNOA-sample below - just for in case.

 

Thx and wishes,

Fred

 

 

8<-------

 

public class AuthHelper
{
    public static AuthorizationServerDescription GetAuthServerDescription()
    {
        var authServerDescription = new AuthorizationServerDescription();
        authServerDescription.AuthorizationEndpoint = new Uri(@"https://accounts.google.com/o/oauth2/auth");
        authServerDescription.TokenEndpoint =         new Uri(@"https://accounts.google.com/o/oauth2/token");
        authServerDescription.ProtocolVersion =       ProtocolVersion.V20;
           
        return authServerDescription;
    }

    public static WebServerClient CreateClient()
    {
           
        var desc = GetAuthServerDescription();
        return new WebServerClient(desc,
                    clientIdentifier: "some.number.apps.googleusercontent.com",
                    clientSecret: "something_with_underscore_and_a_to_z_and_0_to_9");
    }
}

8<-------

public class SecureController : Controller
{

    static WebServerClient client = AuthHelper.CreateClient();

    public ActionResult OAuth()
    {
        if (string.IsNullOrEmpty(Request.QueryString["code"]))
        {
            return InitAuth();
        }
        else
        {
            return OAuthCallback();
        }
           
    }

    private ActionResult InitAuth()
    {
        var uri = Request.Url.AbsoluteUri;
        uri = RemoveQueryStringFromUri(uri);

        var state = new AuthorizationState();
        state.Callback = new Uri(uri);

        state.Scope.Add("https://www.googleapis.com/auth/userinfo.profile");
        state.Scope.Add("https://www.googleapis.com/auth/userinfo.email");

        var response = client.PrepareRequestUserAuthorization(state);
           
        return response.AsActionResult();
    }

    private static string RemoveQueryStringFromUri(string uri)
    {
        int index = uri.IndexOf('?');
        if (index > -1)
        {
            uri = uri.Substring(0, index);
        }
        return uri;
    }

    private ActionResult OAuthCallback()
    {

        // This leads to the Protocol-Exception :-(
        var auth = client.ProcessUserAuthorization(this.Request);

        Session["auth"] = auth;

        return Content("Success!");

To unsubscribe from this group, send email to dotnetopenid+unsubscribe@googlegroups.com.

[Andrew Arnott]

The one Google ships is here: https://code.google.com/p/google-api-dotnet-client/wiki/OAuth2  But IIRC they use a very old DNOA build and I actually have a fork of their project that uses the latest one.

As for DNOA failing while your own Fiddler-crafted request succeeds, can you please describe the differences in the request that you observe in Fiddler? (Or include both failing and succeeding fiddler trace files?)

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/EQ7AQBnT-cYJ.

To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

[Fred]

Hi Andrew,

 

I think, Google expects credentials within the message. If there are no credentials, it replies with a 400 instead of sending a 401. On the other hand, I think DNOA only sends credentials after it got a 401.

 

[1] is the request, DNOA created in my case; [2] is the response to it. When I include the credentials (see [3])  in the message according to [4], everything works fine.

 

What to do now?

 

Wishes,

Fred

 

[1]

POST https://accounts.google.com/o/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: DotNetOpenAuth/4.1.0.12182
Host: accounts.google.com
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 158
Expect: 100-continue
Connection: Keep-Alive

code=4%2FbiqWK38xZ5p_sRPqCahWqggwmQYN.os6DXXaAEkgUsNf4jSVKMpbEaYpzcQI&redirect_uri=https%3A%2F%2Flocalhost%2FRP%2FSecure%2FOAuth&grant_type=authorization_code

 

[2]
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 24 Jul 2012 16:13:11 GMT
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 33

{
  "error" : "invalid_request"
}

[3]

POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded

code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.appspot.com/code&
grant_type=authorization_code

[4] https://developers.google.com/accounts/docs/OAuth2WebServer

 

[Andrew Arnott]

Thanks, Fred.  I think Google is following the OAuth 2 spec here (although the error should probably be "invalid_client" instead of "invalid_request"), and DNOA isn't responding to the HTTP 400 error as you say.  Thanks very much for doing this investigation and reporting your findings.  Getting DNOA to respond to HTTP 400 appropriately is something we can certainly do.  HttpWebRequest strips out the Authorization header when I try to put it into the initial request -- it's as if .NET refuses to send it except in response to an HTTP 401 response.  So we may have to throw HttpWebRequest out and use something else -- that might actually require that we take a dependency on .NET 4.0.  Hmmm... This requires more thought.

Fred, can you please file a bug for this?  https://github.com/dotnetopenauth/dotnetopenauth/issues

Thanks.

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/1T6eJwIw3EQJ.

To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[Fred]

Hi Andrew,

 

I've filed a bug at [1] and attached some suggestions for solving this issue (without to require .NET 4).

 

Is it possible to attach custom FORM-Parameter? If yes, I could quickly solve this issue in my demo-code by passing the credentials within the payload.

 

Wishes,

Manfred

 

[1] https://github.com/DotNetOpenAuth/DotNetOpenAuth/issues/185

To unsubscribe from this group, send email to dotnetopenid+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[Andrew Arnott]

Thanks, Fred.  I forgot that yes, you can force the client creds to be included as a form parameter.  Just set the client's ClientCredentialApplicator property to ClientCredentialApplicator.PostParameter(secret) and you'll get the behavior you're asking for.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

--

You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/6EpCVfQOpoQJ.

To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.

[Ethan]

Thanks Andrew and Fred... I just ran into this same problem and the ClientCredentialApplicator property fixed it.