Hi Paul, We're using Jersey's client with their OAuth filter, but thanks for the sample code.
I've tried adding the permission and secure parameter, but I get the same results (see below). I've also tried it on our production system, which uses a callback URI with a domain registered to H9, so that shouldn't be an issue either. If I understand the documentation correctly, this behavior of redirecting back to the main page of H9 is not normal, because a manual code (verifier) should be presented in case the callback URI was not specified. I've also tried specifying "oob" as callback to see if that gets me at least to the verifier page, but that resulted in the exact same redirection to the main page, too. Also, as you can see, there is no callback URI parameter in the URI of the authorization page unlike when using OAuth 1.0. Is this normal? It may be as it's not sent during the authorization request... Best regards, Andy NEW REQUEST TOKEN TRANSACTION: GET /accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fwww.google.com%2Fh9%2Ffeeds%2F&secure=0&permission=0 Host: www.google.com Accept: application/x-www-form-urlencoded Authorization: OAuth oauth_callback="https%3A%2F%2Flocalhost%3A8181%2FBodyTrace%2Foauth.html", oauth_signature="ONbCPOhyvNDI1vLtORClBQMmd9E%3D", oauth_version="1.0", oauth_nonce="94393ed8-db1b-4cc9-bdbf-063f096fea81", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="www.bodytrace.com", oauth_timestamp="1276577955" === 200 OK Date: Tue, 15 Jun 2010 04:59:15 GMT Content-Length: 110 Expires: Tue, 15 Jun 2010 04:59:15 GMT X-XSS-Protection: 1; mode=block Alternate-Protocol: 443:npn-spdy/1 Content-Type: text/plain; charset=UTF-8 Server: GSE Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff oauth_token=CIPR97-oEhDulbrm-_____8BGMP-wKcD&oauth_token_secret=EoNdKLYw9Q7%2FvOM%2F38v2NCDQ&oauth_callback_confirmed=true AUTHORIZATION URI: https://h9.google.com/h9/oauth?oauth_token=CIPR97-oEhDulbrm-_____8BGMP-wKcD On Jun 15, 2010, at 12:36 AM, Paul (Google) wrote: > Hi Andy, > > I've posted some working OAuth code (Java) in the Google Apps forum > that might be helpful. > > http://www.google.com/support/forum/p/apps-apis/thread?tid=3def276558898c56&hl=en > > It uses HMAC-SHA1 signing, which is supported on H9 but not production > Health. You'll need to change to RSA-SHA1 when you migrate to Health > production as well. > > The only difference that I see so far is that when you're getting you > request token, you're not including the "permission=1" (or "=0") HTTP > GET parameter. I believe that excluding this parameter causes an > error when trying to use the token, however. > > Also, I've yet to try using OAuth with the "secure=0" parameter. > Without it, we'll need to register your domain name in the H9 system. > If you don't get better results when including the permission > parameter, let's give this a try. > > I hope this helps! Let us know how it goes! > > Paul (Google) > > P.S. Bess and Gilad... thanks a ton for your great suggestions! There > are definitely some tweaks necessary for Health/OAuth integration. > The Google OAuth implementation is standard, but there are certainly > potential gotchas like the permission and secure parameters with > Health. Great ideas! -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
