401 Unauthorized Error for Google Docs Content src using OAUTH 1.0/2.0

[venu musham]

When i do a get with OAUTH 1.0 parameters on https://docs.google.com/feeds/default/private/full, response is received(document list). 
Doing a get with OAUTH 1.0 parameters on document content url(Url inside content tag), getting 401 unauthorized exception. 
Scope defined is https://docs.google.com/feeds/

[venu musham]

To reproduce this issue we can test in OAUTH Playground

Steps to be performed in OAUTH Playground:

1) Get an HMAC-SHA1 access token with "anonymous" as the consumer public and private keys (it's a desktop app). Use "https://docs.google.com/feeds/ https://spreadsheets.google.com/feeds/ https://docs.googleusercontent.com/." as the scope.
2) Obtain a documents list from https://docs.google.com/feeds/default/private/full
3) Find a non-native document, in this case PDF, and get the src of the content tag (https://doc-08-48-docs.googleusercontent.com/docs/securesc/XXX/XXX/XXX/XXX/XXX/XXX?h=16653014193614665626&e=download&gd=true)
4) Retrieve that URL with OAuth signing. It appears as though the URL doesn't load with "&" instead of "&" in the playground.
5) Server returns a 302 redirect to https://docs.google.com/nonceSigner?nonce=iv38bfjlb63ak&continue=(previous URL)&hash=158p0dnfv7vtt1j8ndgj0qq8hj4nsac2
6) Retrieve that URL with OAuth signing. Server returns 401 Unauthorized error.

[Vic Fryzel]

Hey Venu,

You really had me worried for a minute :D

This is a "bug" in the OAuth playground.  The OAuth playground is doing entity substitution on the URL when loading it into the URL text box.

If you click the content URL, and then replace "&e=download&gd=true" with "&e=download&gd=true" at the end of the URL, clicking execute will work as intended and download the file.  If you see an empty textbox where you expected the file to be, its just because the OAuth playground doesn't load a binary file into any visible form.

Any client application would not have this problem, as they would not need to do entity substitution to ensure malicious things don't get inserted into the DOM of the page.

Thanks,

-Vic

[venu musham]

Vic,

As you suggested it worked for url's starting with https://doc-08-48-docs.googleusercontent*

Tried the same with url starting with https://docs.google.com/* it gave 401 Unauthorized. Got the same error for content src and thumnail url.


Log:
1) Did a GET on https://docs.google.com/vt?id=0AZ59kAXVHrP7ZGNzODRnOTJfMWNqbnM5Zjcz&sz=s220&v=127&s=AMedNnoAAAAATlISI3at2BTRy-vEULgVk_2xvwOueE1D (thumnail url, replaces & with &)
GET&https%3A%2F%2Fdocs.google.com%2Fvt&id%3D0AZ59kAXVHrP7ZGNzODRnOTJfMWNqbnM5Zjcz%26oauth_consumer_key%3Danonymous%26oauth_nonce%3Dae4c4ccd177f446beade46aba93b3dee%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1313994430%26oauth_token%3D1%252FxFSEw7tZocIt0wbLyWEx7mBlkjnUVuqvWqIqOoqnmfM%26oauth_version%3D1.0%26s%3DAMedNnoAAAAATlISI3at2BTRy-vEULgVk_2xvwOueE1D%26sz%3Ds220%26v%3D127

2) response:

GET /vt?id=0AZ59kAXVHrP7ZGNzODRnOTJfMWNqbnM5Zjcz&sz=s220&v=127&s=AMedNnoAAAAATlISI3at2BTRy-vEULgVk_2xvwOueE1D HTTP/1.1
Host: docs.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="ae4c4ccd177f446beade46aba93b3dee", oauth_timestamp="1313994430", oauth_consumer_key="anonymous", oauth_token="1%2FxFSEw7tZocIt0wbLyWEx7mBlkjnUVuqvWqIqOoqnmfM", oauth_signature_method="HMAC-SHA1", oauth_signature="2g3M%2F24%2FRDfjJBJ407nZlMYC8Jk%3D"
Content-Type: application/atom+xml
GData-Version: 3.0

HTTP/1.1 401 Unauthorized
WWW-Authenticate: OAuth realm="https://www.google.com/accounts/OAuthGetRequestToken", service="writely"
Content-Type: text/html; charset=UTF-8
x-chromium-appcache-fallback-override: disallow-fallback
Date: Mon, 22 Aug 2011 06:27:10 GMT
Expires: Mon, 22 Aug 2011 06:27:10 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Transfer-Encoding: chunked

<?xml version="1.0"?>
<HTML>
  <HEAD>
    <TITLE>Unauthorized</TITLE>
  </HEAD>
  <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
    <H1>Unauthorized</H1>
    <H2>Error 401</H2>
  </BODY>
</HTML>

- Venu Musham

[Vic Fryzel]

Hey Venu,

Two things:

1. Don't post tokens in emails like this.  I recommend invalidating the relevant token from your Google Account Settings page.

2. Can you list the scopes you're using?  What is the exact scope string you're entering into the OAuth playground?

-Vic

[venu musham]

Vic,

Scope used: https://docs.google.com/feeds/

- Venu Musham

On Aug 25, 11:49 pm, Vic Fryzel <vicfry...@google.com> wrote:
> Hey Venu,
>
> Two things:
>
> 1. Don't post tokens in emails like this.  I recommend invalidating the
> relevant token from your Google Account Settings page.
> 2. Can you list the scopes you're using?  What is the exact scope string
> you're entering into the OAuth playground?
>
> -Vic
>

> On Sun, Aug 21, 2011 at 11:32 PM, venu musham <venu.mus...@gmail.com> wrote:
> > Vic,
>
> > As you suggested it worked for url's starting withhttps://doc-08-48-docs.

> > **googleusercontent<https://doc-08-48-docs.googleusercontent.com/docs/securesc/XXX/XXX/XX...>
> > *
>
> > Tried the same with url starting withhttps://docs.google.com/*it gave

> > 401 Unauthorized. Got the same error for content src and thumnail url.
>

> > *Log: *

> > 1) Did a GET on

> >https://docs.google.com/vt?id=0AZ59kAXVHrP7ZGNzODRnOTJfMWNqbnM5Zjcz&s...url, replaces &amp; with &)
> > GET&https%3A%2F%2Fdocs.google.com
> > %2Fvt&id%3D0AZ59kAXVHrP7ZGNzODRnOTJfMWNqbnM5Zjcz%26oauth_consumer_key%3Danonymous%26oauth_nonce%3Dae4c4ccd177f446beade46aba93b3dee%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1313994430%26oauth_token%3D1%252FxFSEw7tZocIt0wbLyWEx7mBlkjnUVuqvWqIqOoqnmfM%26oauth_version%3D1.0%26s%3DAMedNnoAAAAATlISI3at2BTRy-vEULgVk_2xvwOueE1D%26sz%3Ds220%26v%3D127
>
> > *2) response: *