I can't fiure out how to use the tokenString from callback to access other google api's

[Justin Robinson]

I recently integrated google identity toolkit into a webapp.

A while back I integrated google cloud print into the same webapp, it worked on a single google apps domain and used the approach where the API is called on behalf of the user.

    String[] scopes = {"https://www.googleapis.com/auth/cloudprint"};

    JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();

    HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();

    credential = new GoogleCredential.Builder()

       .setTransport(httpTransport)

       .setJsonFactory(JSON_FACTORY)

       .setServiceAccountId(serviceAccountId)

       .setServiceAccountUser(username)

       .setServiceAccountPrivateKeyFromP12File(new File(serviceAccountPrivateKeyFilePath))

       .setServiceAccountScopes(Arrays.asList(scopes))

       .build();

The credential object was then used to obtain a token with the code

    public String getAuth() {

    if(credential.getAccessToken()==null){

    try {

    credential.refreshToken();

    } catch (IOException e) {

    e.printStackTrace();

    }

    }

    return credential.getAccessToken();

    }

This token was then added to requests like so

    httpPost.setHeader("X-CloudPrint-Proxy", user.getServiceAccountId());

    httpPost.setHeader("Authorization", "OAuth " + user.getAuth());

This work perfectly. Then the requirement came that users that logged in with identity toolkit, if they where provider type google.com of course should be able to access their printers shared via groups or whatever on any gmail domain.

In the identitytoolkitConfig for window.google.identitytoolkit.signInButton('#identity', identitytoolkitConfig) it is possible to add a callback to get the token just after login before redirect to successUrl with 

    identitytoolkitConfig.callbacks = {

              signInSuccess: function(tokenString, accountInfo, opt_signInSuccessUrl) {

                //alert("tokenString: "+tokenString+", accountInfo: "+JSON.stringify(accountInfo)+", details to be stored in local storage to persist beyond page refreshes");

                if(accountInfo.providerId === "google.com"){

                Lockr.set('identityTokenString', tokenString); 

                Lockr.set('identityEmail', accountInfo.email);

                }else{

                //used for gcp which is google provider only

                Lockr.rm('identityTokenString'); 

                 Lockr.rm('identityEmail');  

                }

                   return true;

                 }

              };

I have decided to just store this token in localStorage so it survives across pages while the user is logged in. On logout it does get wipped.

The token is stored client side in local storage until a custom print button is pressed and then added to gcp requests as a paramater. Requests go to the webapp's back end which is something of a proxy.

I thought is I simply removed this header 

    httpPost.setHeader("X-CloudPrint-Proxy", user.getServiceAccountId());

and then placed identityTokenString in the other header like so

    httpPost.setHeader("Authorization", "OAuth " + identityTokenString);

it would work. But calls gcp endpoints via my backend proxy that were previously working now all fail with the response

    <HTML>

    <HEAD>

    <TITLE>User credentials required</TITLE>

    </HEAD>

    <BODY BGCOLOR="#FFFFFF" TEXT="#000000">

    <H1>User credentials required</H1>

    <H2>Error 403</H2>

    </BODY>

    </HTML>

Any ideas what I am doing wrong here, the documentation on the 3 subjects is a little cryptic.

I also tried using 

    httpPost.setHeader("Authorization", "Bearer " + identityTokenString);

didn't work either