HTTP/1.1 401 Token invalid - AuthSub token has wrong scope

Question

I get this error when trying to get a feed from Google Analytics API. However, using the same token I get successful feeds from Google Calendar. The code between the two is exactly the same except for the feed url. So it must have something to do with Analytics being https and Calendar just http.

I have successfully created a non-secure, long-lived token. The scope parameter while requesting the initial token:

scope=http%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds%2F%20https%3A%2F%2Fwww.google.com%2Fanalytics%2Ffeeds

My request for the long-lived token:

GET /accounts/AuthSubSessionToken HTTP/1.1
Authorization: AuthSub token="CP_AgsyLDxDCtpjg-f____8B"
Content-Type: application/x-www-form-urlencoded
Host: www.google.com:443
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Returns a long-lived token. Using it for Google Calendar:

GET /calendar/feeds/default/allcalendars/full HTTP/1.1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="CP_AgsyLDxCh2tmj-P____8B"
Host: www.google.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

returns a temporary redirect (302):

HTTP/1.1 302 Moved Temporarily
Expires: Sun, 01 Nov 2009 03:00:01 GMT
Date: Sun, 01 Nov 2009 03:00:01 GMT
Set-Cookie: S=calendar=mta4-_BxxANrylcSnzUatg;Expires=Mon, 01-Nov-2010 03:00:01 GMT
Location: http://www.google.com/calendar/feeds/default/allcalendars/full?gsessionid=mta4-_BxxANrylcSnzUatg

which results in a successful Get to this:

GET /calendar/feeds/default/allcalendars/full?gsessionid=mta4-_BxxANrylcSnzUatg HTTP/1.1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="CP_AgsyLDxCh2tmj-P____8B"
Host: www.google.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Cookie: S=calendar=mta4-_BxxANrylcSnzUatg

But I get the error 401 when attempting to get the Google Analytics feed:

GET /analytics/feeds/accounts/default HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="CP_AgsyLDxCh2tmj-P____8B"
Host: www.google.com:443
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Do I need a valid SSL certificate for my domain? Been fighting with this for weeks!!!
using Indy10 with Delphi 2007 in Apache.

A request was made to provide some of the Delphi code. What I have provided here is the code for the GET to the feed. I don't provide code to get the tokens because I assume they are good (I am able to get calendar feeds).

var
  IdHTTP: TIdHTTP;
  IdSSLIOHandlerSocket1: TIdSSLIOHandlerSocketOpenSSL;

begin
  IdSSLIOHandlerSocket1 := TIdSSLIOHandlerSocketOpenSSL.create(nil);
  IdHTTP := TIdHTTP.create(nil);
  with IdSSLIOHandlerSocket1 do begin
    SSLOptions.Method := sslvSSLv3;
    SSLOptions.Mode :=  sslmUnassigned;
    SSLOptions.VerifyMode := [];
    SSLOptions.VerifyDepth := 2;
  end;
  with IdHTTP do begin
    IOHandler := IdSSLIOHandlerSocket1;
    ProxyParams.BasicAuthentication := False;
    Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
    Request.ContentType := 'application/x-www-form-urlencoded';
    request.host := 'www.google.com/analytics';
    request.connection := 'keep-alive';
    Request.Accept := 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2';
  end;

  idhttp.Request.CustomHeaders.Add('Authorization: AuthSub token="'+mToken+'" ');

  IdHTTP.Get('https://www.google.com/analytics/feeds/accounts/default');  // results in the 401

show is some of your Delphi code, especially how you do your HTTPS handling — Jeroen Wiert Pluimers, Nov 01 '09 at 08:08
Please set the user agent to a string representing *your* program. Using the generic value can get your program lumped together with everyone else who didn't bother to specialize, and that can lead to servers filtering your program thinking that it's just another DoS attack. — Rob Kennedy, Nov 01 '09 at 20:36
I tried setting the user agent to something unique: User-Agent: Test Google Analytics Interface Still same problem. — M Schenkel, Nov 02 '09 at 01:18
Just an idea. I would try to obtain some application which succesfuly connetcs to the google analytics and I would use some sniffer to analyze what packets it sends. I would compare the differences with packets from your application. Maybe that could help. — Wodzu, Nov 02 '09 at 11:20
Good thought. I actually have Fiddler. The problem, however, is I believe most "desktop applications" most likely use the Client Login form of authentication. Whereas web service applications use either the AuthSub or OAuth. But because these are web services I have no way of sniffing the activity between the web service application and the Google services. — M Schenkel, Nov 02 '09 at 13:05

score 2 · Accepted Answer · answered Nov 05 '09 at 04:59

2

Took some time and required me to use Fiddler and the Curl php approach. Found this line:

Host: www.google.com:443

can't have the :443. Must be like this:

Host: www.google.com

The Indy TIdHTTP component was automatically appending this to the host when it saw https. The only way I could get around it was to publish my own "host" property.

answered Nov 05 '09 at 04:59

M Schenkel

6,294
12
62
107

1

Another workaround would be to include the :443 in the token scope; it just has to match. – Jonathan Dec 15 '09 at 08:27

HTTP/1.1 401 Token invalid - AuthSub token has wrong scope

1 Answers1

Linked