Geek Answers Handbook

Check signed requests from the Gmail context gadget

So, I use gadgets.io.makeRequest(url, callback, params) to execute requests from the Gmail context gadget and check these requests on the server side.

To clarify, I use the following makeRequest parameters on the gadget side:

 params[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.DOM; params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED; params["OAUTH_SERVICE_NAME"] = "HMAC"; params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.GET;

I got the customerKey gadget and userSecret from https://www.google.com/gadgets/directory/verify
According to Google documentation, the request is signed by the container in accordance with the OAuth Signing Process HMAC-SHA1 Method.

On the server side, I get the following request:

http://my.dev.machine.com/blapage.aspx?oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&opensocial_owner_id=103030060674287937707&opensocial_viewer_id=103030060674287937707&opensocial_app_id=103129310198020657787&opensocial_app_url=http://my.dev.machine.com/gadget.xml&oauth_version=1.0&oauth_timestamp = 1284403586 & oauth_nonce = 6436223395511631796 & opensocial_container = http: //mail.google.com&oauth_consumer_key=419336943235&oauth_signature_method=HMAC-SHA1&oauth_signature=bshZj9XadECdiytiyyytn

I then sign this request in accordance with the same OAuth specification that Google should use, but the signatures do not match.

I already tried signing the request using two different libraries:

  • Our home library .Net, which is used to sign Gmail IMAP OAuth authorization requests (which uses the same signature method and works very well there).
  • One contributor to opensocial libs ( http://code.google.com/p/opensocial-net-client/ )

Both libraries generate similar base strings. However, oddly enough, they create different signatures, and none of these signatures matches the one sent by Google in the oauth_signature parameter!

Gadget Developers, I hope some of you are more fortunate than me to do this signature verification method. Please tell me what I'm doing wrong here.

Thanks in advance,
Buru

+4
source share
2 answers

I have used this successfully:

 public Boolean ValidateSignature(String method, Uri url) { String normalizedUrl, normalizedRequestParameters; List<QueryParameter> parameters = new List<QueryParameter>(); parameters.AddRange(GetQueryParameters(url.Query)); var sigParam = parameters.Find(p => p.Name == OAuthSignatureKey); if (sigParam == null) return false; var expected = sigParam.Value; parameters.Remove(parameters.Find(p => p.Name == OAuthSignatureKey)); parameters.Sort(new QueryParameterComparer()); normalizedUrl = string.Format("{0}://{1}", url.Scheme, url.Host); if (!((url.Scheme == "http" && url.Port == 80) || (url.Scheme == "https" && url.Port == 443))) { normalizedUrl += ":" + url.Port; } normalizedUrl += url.AbsolutePath; normalizedRequestParameters = NormalizeRequestParameters(parameters); StringBuilder signatureBase = new StringBuilder(); signatureBase.AppendFormat("{0}&", method.ToUpper()); signatureBase.AppendFormat("{0}&", UrlEncode(normalizedUrl)); signatureBase.AppendFormat("{0}", UrlEncode(normalizedRequestParameters)); HMACSHA1 hmacsha1 = new HMACSHA1(); hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&{1}", UrlEncode(ConsumerSecret), ""));//string.IsNullOrEmpty(tokenSecret) ? "" : UrlEncode(tokenSecret))); var computed = GenerateSignatureUsingHash(signatureBase.ToString(), hmacsha1); return expected == UrlEncode(computed); }

along with the code you can find here: http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs

EDIT : when making requests and sending parameters via get or post, this did not work. It seems that the problem is that Gmail sorts the parameters with capital letters first. I used only lowercase options, but you could easily fix the code to make sure the lowercase is in upper case.

+1
source

The Daniels method works great with one small change.

  • GetQueryParameters needs an implementation to retrieve all query parameters. An implementation in OAuthBase returns only those that do not have the prefix 'oauth _'

My main problem was that the gadget making the call used gadgets.io.makeRequest for "http://myserver.com", but the processing page was "http://myserver.com/default.aspx". Because of this difference, the signature was not verified. Calling "http://myserver.com/default.aspx" using gadgets.io.makeRequest from within the gadget solved something.

+1
source

More articles:


All Articles