2-legged OAuth with google-api-java-client

Question

Does anyone know how to use 2-legged OAuth with google-api-java-client? I'm trying to access the Google Apps Provisioning API to get the list of users for a particular domain.

The following does not work

HttpTransport transport = GoogleTransport.create();
GoogleHeaders headers = (GoogleHeaders) transport.defaultHeaders;
headers.setApplicationName(APPLICATION_NAME);
headers.gdataVersion = GDATA_VERSION;

OAuthHmacSigner signer = new OAuthHmacSigner();
signer.clientSharedSecret = CONSUMER_SECRET;

OAuthParameters oauthParameters = new OAuthParameters();
oauthParameters.version = OAUTH_VERSION;
oauthParameters.consumerKey = CONSUMER_KEY;
oauthParameters.signer = signer;
oauthParameters.signRequestsUsingAuthorizationHeader(transport);

I get the "com.google.api.client.http.HttpResponseException: 401 Unknown authorization header". The header looks something like this

OAuth oauth_consumer_key="...", oauth_nonce="...", oauth_signature="...", oauth_signature_method="HMAC-SHA1", oauth_timestamp="...", oauth_version="1.0"

I also tried following without success

GoogleOAuthDomainWideDelegation delegation = new GoogleOAuthDomainWideDelegation();
delegation.requestorId = REQUESTOR_ID;
delegation.signRequests(transport, oauthParameters);

Any ideas? Thanks in advance.

Answer 1

Presumably you are trying to get an unauthorised request token here? I Haven't used the Google implementation, but the OAuth 1.0a spec says you need a callback URL, which you don't have. This might be a red herring as the spec says a missing param should return HTTP code 400 not 401.

See http://oauth.net/core/1.0a/#auth_step1

Answer 2

It seems that there was nothing wrong with the code. It actually works. The problem was with the our Google Apps setup.

When you visit the "Manage OAuth key and secret for this domain" page (https://www.google.com/a/cpanel/YOUR-DOMAIN/SetupOAuth), and enable "Two-legged OAuth access control" and select "Allow access to all APIs", it doesn't actually allow access to all APIs.

If you visit the "Manage API client access" page after that (https://www.google.com/a/cpanel/YOUR-DOMAIN/ManageOauthClients), you'll see that there is an entry like:

YOR-DOMAIN/CONSUMER-KEY  "This client has access to all APIs" 

It seems that this doesn't include Provisioning API. Only after we explicitly added the Provisioning API, the code started to work. So to enable Provisioning API, you should also have something like the following entry in your list:

YOR-DOMAIN/CONSUMER-KEY  Groups Provisioning (Read only) https://apps-apis.google.com/a/feeds/group/#readonly 
                         User Provisioning (Read only)  https://apps-apis.google.com/a/feeds/user/#readonly

Somone else had the same problem:

http://www.gnegg.ch/2010/06/google-apps-provisioning-two-legged-oauth/

Sasa