API Migration 2.3 > 2.4 - 401 Unauthorized

[Roberdup]

Hello !

Following Google Announcement, I'm migrating from Google Analytics API 2.3 to 2.4 using OAuth 1.0... 

Problems start when I'm querying data. I always got this 401 error :

HTTP/1.1 401 Unauthorized
WWW-Authenticate: AuthSub realm="https://www.google.com/accounts/AuthSubRequest" allowed-scopes="https://www.googleapis.com/auth/analytics.readonly,https://www.googleapis.com/auth/analytics"
Content-Type: application/vnd.google.gdata.error+xml; charset=UTF-8
Date: Tue, 26 Jun 2012 08:36:59 GMT
Expires: Tue, 26 Jun 2012 08:36:59 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Transfer-Encoding: chunked

<?xml version="1.0" encoding="UTF-8"?>
<errors xmlns="http://schemas.google.com/g/2005">
<error>
  <domain>GData</domain>
  <code>authError</code>
  <location type="header">Authorization</location>
  <internalReason>Invalid Credentials</internalReason>
</error>
</errors>

This error come from OAuth 1.0 Playground

- I use the new scope : https://www.googleapis.com/auth/analytics.readonly

- I put my OAuth API Key on every query (?key=MY_API_KEY)

Everything worked fine before the migration.. (using older scope)

I'm waiting for some fixes ! 

Best Regards

[Pete]

The API Key only identifies your application when making requests to ensure you receive full quota It does not provide authenticated access. You still need to have a valid auth token to make requests. The easiest approach for you would be to use your existing tokens (with old scope) and include the API Key parameter. v2.4 supports the old scope so this should work. 

If you're going to move to the new scope then you will have to re-auth the application and obtain new tokens. In that case you might as well move OAuth 2, which is what we recommend. When authenticated via OAuth 2, requests don't require the API Key parameter since the application will be identified with the Client ID. 

please take a look at the Migration Guide. It describes all of this. Specifically you should take a look at the FAQ sections which answer many common questions.  

[Roberdup]

Hi Pete,

First of all, I thank you for your reply.

I read the FAQ and it says that using Legacy scope ( https://www.google.com/analytics/feeds/ ) will continue to work with API 2.4. So like you said, to keep my client token working (without re-authorize), I have to switch back to this old scope.

Can you tell me if this scope will still work on the next month/year ? Should I have to consider a process to re-authorize my clients tokens now ?

Thank again !

[Roberdup]

Test done on OAuth Playground [ http://www.googlecodesamples.com/oauth_playground ]

Ok, I tried to switch back to the legacy scope ( https://www.google.com/analytics/feeds/). With this scope, I queried on the following endpoints to retrieve user accounts : 

- https://www.google.com/analytics/feeds/accounts/default

This endpoint works fine, but with Google Analytics Migration, I read that it will be inactive (I have to use Management API instead)

- https://www.googleapis.com/analytics/v2.4/management/accounts?key=API_KEY

This endpoint failed with a 401 Unauthorized response ( Invalid credential )

- https://www.google.com/analytics/feeds/datasources/ga/accounts?key=API_KEY

This endpoint failed too with a 401 Unauthorized response ( Invalid credential ) 

I thought that it will be a simple migration...

"Help, I need somebody..." 

[Nick]

wait. Are you saying you can't access your data using the OAuth 1 playground?

Thats probably the first step to get working.

-Nick

[Roberdup]

Hi Nick,

I get the same problem with my application

Could you confirm me that the following step should work (as it wrote in the Migration FAQs) :

Using OAuth 1.0 and legacy scope : https://www.google.com/analytics/feeds/

Can I query Account Feed with the endpoint : https://www.google.com/analytics/feeds/datasources/ga/accounts?key=API_KEY

At the moment, I only succeeded to retrieve Account Feed with the endpoint :  https://www.google.com/analytics/feeds/accounts/default , but this endpoint will shutdown in a few days and my application will shutdown too.

"Time is running out",

waiting your reply

Best regards

[Pete]

If you go to OAuth Playground 1.0 and

1) Select the following scope (the legacy scope): https://www.google.com/analytics/feeds/

2) Follow the rest of the steps to authorize and get an access token (OAuth Playground 1.0 steps 2 to 5) 

3) Then use the token (step 6) to execute the following query (old request url): https://www.google.com/analytics/feeds/datasources/ga/accounts  you should receive a successful response. 

4) now execute the following query to the Management API: https://www.googleapis.com/analytics/v2.4/management/accounts and you should also receive a successful response. And it should work the same when you add the key parameter: https://www.googleapis.com/analytics/v2.4/management/accounts?key=YOUR_API_KEY 

I can confirm this works for me. In other words, using the legacy scope with the Management API v2.4 does work. If you're going to use this in production then make sure to add the key parameter.

I also recommend that if you're going to do any kind of re-auth then use OAuth 2.0 and the new scope instead. There is also an OAuth 2 playground to test this out.  

[Roberdup]

Well, we got a problem because your step 3/4 doesn't work :

3) Then use the token (step 6) to execute the following query (old request url): https://www.google.com/analytics/feeds/datasources/ga/accounts  you should receive a successful response. 

4) now execute the following query to the Management API: https://www.googleapis.com/analytics/v2.4/management/accounts and you should also receive a successful response. And it should work the same when you add the key parameter: https://www.googleapis.com/analytics/v2.4/management/accounts?key=YOUR_API_KEY

 I attached a file to this reply detailling every step with his response. I hope it will help you to find the problem...

http://pastebin.com/raw.php?i=Mg6MzYkH

Thanks for your time !

[Pete]

The steps I showed you used the default OAuth consumer key that the OAuth Playground 1.0 provides. If you are using your own client/id from an OAuth 2 client created in the APIs console then make sure you have you enabled the Analytics API service in the APIs console. https://code.google.com/apis/console#:services

then move to OAuth 2 Playground. 

[Roberdup]

Yes, I used my own OAuth 1.0 consumer_key / consumer_secret.

Moving to OAuth 2 means that I have to re-authorize all my clients token. I can't consider this for the moment...
I already activated Google Analytics Service in the APIs console.

We have to find a way to keep using Google Analytics API with OAuth 1.0 !
If we don't fix it before migration becomes effective, this issue will be a real disaster for my application.

"I need a hero. I'm holding out for a hero 'til the end of the night.
He's gotta be strong and he's gotta be fast"

Best regards

[chris@shufflepoint]

Re-authorizing is a pain (recently been there, done that) but is a one-time pain. And OAuth 2 is much easier to work with. I had hoped to run OAuth 1 and 2 in parallel, but the GA API OAuth 2.0 handshake wasn't happy having outstanding OAuth 1 grants - we had to have users delete the old grants before creating the OAuth 2 grants.

[Roberdup]

I'm surprised that Google support team take it carelessly... Depending on the application, re-authorizing can be really awkward to implement.
When I read in the migration guide that you can keep OAuth 1.0 without re-authorization, I don't expect as a solution to migrate to OAuth 2.0 !

Is it a problem with my consumer key/secret ? Something else ?

Thanks.

[Nick]

Version 2.4 supports legacy auth mechanisms.

Otherwise, as with most major versions, they typically aren't backwards compatible. Also the specs for OAuth 2 is quite different than that of OAuth 1.

-Nick

[chris@shufflepoint]

Since all new capabilities will only be added to 3.0, you really are better off doing the migration. What's the roadblock you have to migrating?

[Roberdup]

Yes, I could admit that migrating to v3.0 is highly recommended to enjoy incoming features. But, in my case, when some of our customers do not have "direct" interaction with the application anymore, it's hard to ask them for a reauthorization..

That's why I hoped to get a fix.

[chris@shufflepoint]

You need to elaborate on that situation before I could give any more detailed suggestions.