在Android上使用谷歌API的Java客户端，POST请求似乎并不与使用OAuth谷歌应用程序引擎的应用程序进行身份验证 [英] Using Google API Java Client on Android, a POST request does not seem to authenticate with Google App Engine app using OAuth

问题描述

我有一个需要使用OAuth的巨蟒谷歌应用程序引擎的应用程序验证了Android客户端。我跟着这篇文章。

I have an Android client that needs to authenticate with a python Google App Engine app using OAuth. I followed this article.

和能够成功地做到这一点使用HTTP GET请求。 Android客户端使用包com.google.api.client做到这一点：

And was able to successfully do so using an HTTP Get Request. The Android client uses the package com.google.api.client to accomplish this:

OAuthHmacSigner _signer;
HttpTransport TRANSPORT = new NetHttpTransport();
_signer = new OAuthHmacSigner();
_signer.clientSharedSecret = CONSUMER_SECRET;

// STEP1: get a request token
OAuthGetTemporaryToken requestToken = new OAuthGetTemporaryToken(REQUEST_TOKEN_URL);
requestToken.consumerKey = CONSUMER_KEY;
requestToken.transport = TRANSPORT;
requestToken.signer = _signer;
requestToken.callback = "http://my_app_specific_callback";
requestTokenResponse = requestToken.execute();
OAuthAuthorizeTemporaryTokenUrl authorizeUrl = new OAuthAuthorizeTemporaryTokenUrl(AUTHORIZE_URL);
authorizeUrl.temporaryToken = requestTokenResponse.token;
// at this point, redirect the user using a WebView to the URL string returned by authorizeUrl.build().  Continue below once the user has granted request.

// STEP2: get an access token
_signer.tokenSharedSecret = requestTokenResponse.tokenSecret;
OAuthGetAccessToken accessToken = new OAuthGetAccessToken(ACCESS_TOKEN_URL);
accessToken.consumerKey = CONSUMER_KEY;
accessToken.signer = _signer;
accessToken.transport = TRANSPORT;
accessToken.temporaryToken = requestTokenResponse.token;
accessTokenResponse = accessToken.execute();

// STEP3: use the access token acquired above to access a protected resource
_signer.tokenSharedSecret = accessTokenResponse.tokenSecret;
OAuthParameters parameters = new OAuthParameters();
parameters.consumerKey = CONSUMER_KEY;
parameters.token = accessTokenResponse.token;
parameters.signer = _signer;
HttpRequestFactory factory = TRANSPORT.createRequestFactory(parameters);
HttpRequest req = factory.buildGetRequest(new GenericUrl(PROTECTED_URL_GET_USER_EMAIL));
com.google.api.client.http.HttpResponse resp = req.execute();

在上面的code段，所有的3个步骤工作得很好。而我的谷歌应用程序引擎的服务器上，我检查到PROTECTED_URL_GET_USER_EMAIL作出的GET请求，并包含一个适当的身份验证HTTP头：

In the above code snippet, all the 3 steps work just fine. And on my Google App Engine server, I inspected the GET request made to the PROTECTED_URL_GET_USER_EMAIL, and it contained a proper authentication HTTP Header:

'Authorization': 'OAuth oauth_consumer_key="shiprack-test1.appspot.com", oauth_nonce="...", oauth_signature="...", oauth_signature_method="HMAC-SHA1", oauth_timestamp="...", oauth_token="..."'

使用OAuth的Python包在GAE（google.appengine.api.oauth），我的服务器能够对用户进行认证，并确定用户的电子邮件地址（oauth.get_current_user（））。

Using the oauth python package on GAE (google.appengine.api.oauth), my server is able to authenticate the user and determine the user's email address (oauth.get_current_user()).

然而，问题是，当我的PROTECTED_URL_GET_USER_EMAIL转换为HTTP POST请求。我就是这样做的：

However, the problem is when I convert the PROTECTED_URL_GET_USER_EMAIL to an HTTP Post request. This is how I do that:

Map<String, String> paramsMap = new HashMap<String, String>();
paramsMap.put("param1", "value1")
paramsMap.put("param2", "value2")
HttpRequest req = _httpRequestFactory.buildPostRequest(new GenericUrl(url), new UrlEncodedContent(paramsMap));
req.setFollowRedirects(true);
com.google.api.client.http.HttpResponse resp = req.execute();

但现在，在GAE上的Python服务器端，我无法确定当前用户。 HTTP报头包含相同的OAuth认证头（使用不同的随机数，时间戳和签名，但相同的OAuth令牌）。在参数1和参数2是在HTTP有效载荷。也许我的POST请求不构成正确？

But now, on the GAE python server side, I'm not able to determine the current user. The HTTP Headers contain the same OAuth Authentication headers (with a different nonce, timestamp and signature, but the same oauth token). The "param1" and "param2" are in the HTTP Payload. Perhaps my POST request is not constructed properly?

我用 Ikai岚的（谷歌的App Engine支持小组）$ C $下一个python客户端来验证我的GAE服务器。而这个工作太...原始客户端的GET请求，即使我修改它使用POST请求。我注意到，虽然与POST请求，OAuth的参数被列为URL连接的HTTP负载，而不是在HTTP头codeD值。这是对的Oauth签名的HTTP POST请求的要求？

I used Ikai Lan's (Google App Engine support team) code for a python client to authenticate against my GAE server. And this worked too... the original client with the GET request, and even when I modified it to use a POST request. I noticed though that with the POST request, the oauth parameters were included as URL encoded values in the HTTP payload instead of the in the HTTP header. Is this a requirement for Oauth-signed HTTP post requests?

在此先感谢！

推荐答案

不幸的是，基于表单恩codeD HTTP内容的参数正确的OAuth 1.0a的编码还没有实现。我们已经得到了这个相当多的请求。有一个功能要求已经打开了。

Unfortunately, proper OAuth 1.0a encoding based on form-encoded HTTP content parameters is not implemented yet. We've gotten quite a few requests for this. There is a feature request already open for it.

这篇关于在Android上使用谷歌API的Java客户端，POST请求似乎并不与使用OAuth谷歌应用程序引擎的应用程序进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！