Authsub: Token invalid - AuthSub token has wrong scope

[mschenkel]

I have been fighting with this for hours. As far as I know, I have a
proper long-lived token. But any feed I try to get results in this
error message. I did some searching on this forum and this thread
seems exaclty what I am experiencing:

http://groups.google.com/group/google-analytics-data-export-api/browse_thread/thread/b2643b85ee9a954

Is there a chance the AuthSub for Google Analytics could be "broken"
the way it was back in April??

Thanks.

[mschenkel]

I just tried the interactive samples:
http://code.google.com/apis/analytics/docs/gdata/1.0/gdataInteractiveSamples.html

These work. So it obviously must be something in my code or a
header. Probably best thing now is to use an application like fiddler
to see exactly what is going on.

[Nick]

Yes, looking at headers is usually the best way to debug.

I'd also make sure you are using the correct scope for GA:
https://www.google.com/analytics/feeds
-Nick



On Oct 21, 2:58 pm, mschenkel wrote:
> I just tried the interactive samples:http://code.google.com/apis/analytics/docs/gdata/1.0/gdataInteractive...

[mschenkel]

To mix things up, I just tried the same with the Calendar. I get the
same thing.

This is definitely a problem with requesting the feeds and not the
authentication right? I have verified I have granted access in the
google settings.

Couple other things:
I am doing this in a test environment. I have changed my host file to
simulate that I am on my site (i.e. within my browser). Does this
matter? Or do I have to have this running on the true domain?

Thanks.

[mschenkel]

Ok - I have done some more hashing on this. I believe it has
something to do with the SSL. I have gotten it to work with the
calendar feed:

GET /calendar/feeds/default/allcalendars/full?
gsessionid=uFOd8WRGtCIC5vBt3eGwmg HTTP/1.1
Authorization: AuthSub token="CP_xxxxxxxxxxx"
Host: www.google.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Cookie: S=calendar=uFOd8WRGtCIC5vBt3eGwmg

This returns the proper XML. But when I try the https://www.google.com/analytics/feeds
(which was recommended by Nick) url:

GET /analytics/feeds HTTP/1.1
Authorization: AuthSub token="CP_AgsyLDxCEyvHgBw"
Host: www.google.com:443
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

I get this:
13
Invalid request URI
0


I also try http://www.google.com/analytics/feeds/accounts/default
which is documented from this page:
http://code.google.com/apis/analytics/docs/gdata/gdataReferenceAccountFeed.html

GET /analytics/feeds/accounts/default HTTP/1.1
Authorization: AuthSub token="CP_AgsyLDxCEyvHgBw"
Host: www.google.com:443
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Here is the result:

d5
<HTML>
<HEAD>
<TITLE>Token invalid - AuthSub token has wrong scope</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Token invalid - AuthSub token has wrong scope</H1>
<H2>Error 401</H2>
</BODY>
</HTML>

0

[Nick]

From the looks of things, the issue you are having is with the token
you are retrieving from the Account API service.

When you have a correct token, you'll will be able to make a GET
request to our account feed with the proper header set to this URL:
http://www.google.com/analytics/feeds/accounts/default

To get a proper AuthSub token to work with GA you will need to define
a scope in the request to the Accounts API. Here is how you can do it:

https://www.google.com/accounts/AuthSubRequest?
&next=http://www.example.com/myApplicationPage.html
&scope=https://www.google.com/analytics/feeds/
&secure=0
&session=1

Where the details of each parameter is on this page:
http://code.google.com/apis/analytics/docs/gdata/1.0/gdataAuthentication.html#understandingAuthSub

Once the user, grants access, they will be redirected to the URL in
the next parameter and the redirect will add a parameter named "token"
in the URL. This is only good for 1 request. You can use this 1
request to upgrade the token to a long lived one. It's the long lived
token that needs to go into the header of the requests to the GA API.

-Nick

On Oct 22, 10:21 am, mschenkel wrote:
> Ok - I have done some more hashing on this.  I believe it has
> something to do with the SSL.  I have gotten it to work with the
> calendar feed:
>
> GET /calendar/feeds/default/allcalendars/full?
> gsessionid=uFOd8WRGtCIC5vBt3eGwmg HTTP/1.1
> Authorization: AuthSub token="CP_xxxxxxxxxxx"
> Host:www.google.com
> Accept: text/html, */*
> Accept-Encoding: identity
> User-Agent: Mozilla/3.0 (compatible; Indy Library)
> Cookie: S=calendar=uFOd8WRGtCIC5vBt3eGwmg
>

> This returns the proper XML.  But when I try thehttps://www.google.com/analytics/feeds

> (which was recommended by Nick) url:
>
> GET /analytics/feeds HTTP/1.1
> Authorization: AuthSub token="CP_AgsyLDxCEyvHgBw"
> Host:www.google.com:443
> Accept: text/html, */*
> Accept-Encoding: identity
> User-Agent: Mozilla/3.0 (compatible; Indy Library)
>
> I get this:
> 13
> Invalid request URI
> 0
>

> I also tryhttp://www.google.com/analytics/feeds/accounts/default
> which is documented from this page:http://code.google.com/apis/analytics/docs/gdata/gdataReferenceAccoun...

[mschenkel]

Yes - I understand this. And have followed these steps (many times in
fact). You seem to be indicating I have an incorrect token. BUT,
with this token I am able to successfully query the calendar feed. Is
it possible the token will work for the calendar but not GA, even
though during my AuthSubRequest and subsequent request for long-lived
tokens I requested access for both services? I have checked my Google
Account settings - I have access granted to my website for both.

[mschenkel]

Perhaps this is the problem: if the google feed is SSL (i.e. calls
https://www.google.....) do I need a certificate????

Currently I am not using a certificate, I will give this a try now.