Verifying signed requests from Gmail contextual gadget

Question

So, I'm using gadgets.io.makeRequest(url, callback, params) to make requests from Gmail contextual gadget and verifying these requests on the server side.

To clarify, I'm using the following makeRequest params on the gadget side:

params[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;
params["OAUTH_SERVICE_NAME"] = "HMAC";
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.GET;

I've obtained gadget's consumerKey and consumerSecret from https://www.google.com/gadgets/directory/verify
According to Google's documentation, the request is signed by the container according to OAuth signing process HMAC-SHA1 method.

On the server side, I receive the following request:

http://my.dev.machine.com/blapage.aspx?oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&opensocial_owner_id=103030060674287937707&opensocial_viewer_id=103030060674287937707&opensocial_app_id=103129310198020657787&opensocial_app_url=http://my.dev.machine.com/gadget.xml&oauth_version=1.0&oauth_timestamp=1284403586&oauth_nonce=6436223395511631796&opensocial_container=http://mail.google.com&oauth_consumer_key=419336943235&oauth_signature_method=HMAC-SHA1&oauth_signature=bshZj9XOXECdYiyR1J8Etnadv5c=

Then I'm signing this request according to the same OAuth specification that Google is supposed to use, but the signatures don't match.

I've already tried signing the request using 2 different libs:

1. Our home-grown .Net lib, which is used to sign requests for Gmail IMAP OAuth authorization (which uses the same signing method and it works just fine there).
2. One of the contributed opensocial libs (http://code.google.com/p/opensocial-net-client/)

Both libs produce similar signature base strings. However, weirdly enough, they produce different signatures, and none of these signatures match the one sent by Google in oauth_signature param!

Fellow gadget developers, I hope someone of you was more lucky then me and made this signature verification method work. Please, tell me what I'm doing wrong here.

Thanks in advance,
buru

Answer 1

I try to explain my issue. I'm writing a gmail sidebar gadget that uses oauth authorization protocol to comunicate with my oauth service provider. I'm writing code for both gadget and service provider (ruby on rails app). In this view Google represents service consumer that signs requests with his own private key. My problem is to build the correct signature base string i will use to validate the request.

Let me show you my procedure to verify the signature.

1) Build signature base string: I receive an http request from google (service consumer), extract full parameters list, concatenate them in the same order i have received. 2) Make sha1 hash of signature base string (url-decoded) 3) Decrypt oauth_signature parameter(url-decoded) with igoogle public key (found in certificate referenced by: pub.1210278512.2713152949996518384.cer) 4) Compare hash generated at step 2 and hash decrypted. If values match I may assume that signature is valid.

If there's something wrong in procedure described above please let me know. I'm not sure for procedure that generates signature base string. What is the right order to concatenate parameters? As i receive? And which of them I have to use? All? (oauth_, xoauth_, opensocial_, ecc..) or only those that begins with "oauth_" ?

I apologize if this is not the right place to ask my question.

Thanx everyone. :)

Nic.