Spring OAuth2 M6 and Google Analytics: No OAuth 2 Security Context

[skram]

Thanks for the reply. Unfortunately, I tried that and even did a clean Maven build but I got the same exact error.

I now have the following:

Code:

<oauth:resource id="oauth-resource" 
		client-authentication-scheme="form" 
		type="authorization_code"
		access-token-uri="https://accounts.google.com/o/oauth2/token" 
		user-authorization-uri="https://accounts.google.com/o/oauth2/auth"
		client-id="dlkfjglksdjglsdjglsdfgdfgagsd" 
		client-secret="sgsdfgsdfgdfgdfgdf"
		scope="https://www.googleapis.com/auth/analytics.readonly"
		pre-established-redirect-uri="http://localhost:8080/app/google/test"/>
	 
	 <oauth:rest-template id="oauth-rest-template" resource="oauth-resource"/>

What surprises me though is running Debug shows that these parameters are not passed when requesting an Access token.

[Dave Syer]

You should see the code and grant_type, and the client credentials (because of the special authentication scheme). Which of those did you not see? If you see them all then there must be another problem with the flow, and only the server would know probably what you are doing wrong, so if it isn't sending any more information back then you might be out of luck. Maybe you can monitor the responses from the auth server using a TCP monitor?

[skram]

Dave, I will investigate more the sent parameters. But to answer your question, I didn't see those parameters when the app is requesting for an access token, though it's present in the authentication request.

I will check more and report my findings later. Thanks

[Dave Syer]

One other thing, depending on the implementation of your client app, you might need to set use-current-uri="false" in the resource declaration (to force it to use the registered redirect).

[skram]

I tried running a web debugging proxy tool. And here's what I got.

1. First, I visited http://localhost:8080/app/google/test

Proxy showed the request/response:

Request:
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Cookie: JSESSIONID=114C691A27CC1BC66DDAF8695E665046

Response:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: https://accounts.google.com/o/oauth2...y&state=A72Yqi
Content-Length: 0
Date: Mon, 11 Jun 2012 13:10:27 GMT


2. Then the browser window showed the Google Analytics authentication page. The browser's URL box shows the following URL:

https://accounts.google.com/o/oauth2...y&state=A72Yqi


3. Then I clicked on allow/authorize button

Proxy showed the request/response:

Request:
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Cookie: JSESSIONID=114C691A27CC1BC66DDAF8695E665046

Response:
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Date: Mon, 11 Jun 2012 13:11:20 GMT
Connection: close

4. Then the browser should the following exception:

Code:

error="access_denied", error_description="Access token denied."
	org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:93)
	org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:161)
	org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:120)

Code:

error="invalid_request", error_description="invalid_request"
	org.springframework.security.oauth2.common.exceptions.OAuth2ExceptionDeserializer.deserialize(OAuth2ExceptionDeserializer.java:81)
	org.springframework.security.oauth2.common.exceptions.OAuth2ExceptionDeserializer.deserialize(OAuth2ExceptionDeserializer.java:30)
	org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2391)
	org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1651)

Unfortunately I can't get much from proxying accounts.google.com (maybe due to some security scheme). However I noticed the following status:

https://ssl.google-analytics.com
Failed
SSLHandshake: Received fatal alert: bad_certificate

I don't know if that has something to do with the Proxy tool I'm using or it's a server issue or an app issue.

I'm sorry though I tried setting that use-current-uri="false" but with the same issue.

Do you think it would help if I provide you a barebones Maven project with this current issue. Of course, you might need to create your own Google Analytics account and register an ID via the Google API Console? If this would help, I would gladly provide one.

Or file a JIRA? But at what title and error type?

[Dave Syer]

There's not much point sending me code to reproduce the problem (it's trivial once you have registered an app with Google). You can raise a JIRA if you like, but to do anything about it I think you would need to get some more information from Google as to why the token request is invalid (it seems to me to match their own documentation https://developers.google.com/accoun...Auth2WebServer). The most likely response from Google, assuming you can get anyone's attention, is that you should use the Google Java client APIs (which isn't a bad idea really and if you can get that to work we might be able to see the difference).

[skram]

Dave, thanks for the suggestion.

I would try their code and see if there's much difference. It would be a good comparison exercise. I'm just surprise though that no one has tried integrating Google Analytics with Spring OAuth yet (or maybe someone hasn't posted or had any problems yet).

I actually prefer to stick with Spring because it has simpler model, but then again just to see what's really happening I wouldn't mind to try their own code.

[Dave Syer]

I'm just surprise though that no one has tried integrating Google Analytics with Spring OAuth yet (or maybe someone hasn't posted or had any problems yet).

There was a post a few months back and it worked (eventually) then, I think - I remember the thing about the client authentication. Either my memory is bad, or they changed their server implementation (or both possibly).

[Dave Syer]

I think I cracked it. If you remove the state parameter from the token request (not sure why it was there in the first place) it reveals another problem, which is a redirect mismatch. I raised a JIRA for that (SECOAUTH-284) - should be fixed now.

[skram]

Thanks for the quick action.

Unfortunately, I'm unable to pull RC1 or even the SNAPSHOTS. I'm able to pull SNAPSHOT builds for Spring Core, JPA, and etc. But this one is unpullable. Is there a special repo where this resides?

This is what I use (along with Artifactory):

Code:

	
	<repository>
		<id>org.springframework.maven.release</id>
		<name>Spring Maven Release Repository</name>
		<url>http://maven.springframework.org/release</url>
		<releases><enabled>true</enabled></releases>
		<snapshots><enabled>false</enabled></snapshots>
	</repository>

	<repository>
		<id>org.springframework.maven.snapshot</id>
		<name>Spring Maven Snapshot Repository</name>
		<url>http://maven.springframework.org/snapshot</url>
		<releases><enabled>false</enabled></releases>
		<snapshots><enabled>true</enabled></snapshots>
	</repository>

	<repository>
		<id>org.springframework.maven.milestone</id>
		<name>Spring Maven Milestone Repository</name>
		<url>http://maven.springframework.org/milestone</url>
		<snapshots><enabled>false</enabled></snapshots>
	</repository>

Update: Ok, I'm building the project now by downloading the project from GitHub