After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 731269 - Wrong scope information in authorization domain
Wrong scope information in authorization domain
Status: RESOLVED FIXED
Product: libgdata
Classification: Platform
Component: PicasaWeb service
git master
Other Linux
: Normal major
: ---
Assigned To: libgdata-maint
libgdata-maint
Depends on:
Blocks:
 
 
Reported: 2014-06-05 13:15 UTC by Saurav Agarwalla
Modified: 2014-06-19 08:54 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
My local changes (836 bytes, patch)
2014-06-18 11:35 UTC, Saurav Agarwalla
none Details | Review
core: Add PicasaWeb support to GDataGoaAuthorizer (2.09 KB, patch)
2014-06-18 16:27 UTC, Philip Withnall
committed Details | Review
Log for Photos (4.88 KB, text/x-log)
2014-06-19 06:35 UTC, Saurav Agarwalla
  Details
Log for Documents (12.53 KB, text/x-log)
2014-06-19 06:35 UTC, Saurav Agarwalla
  Details
core: Refresh authoriser on receiving SOUP_STATUS_FORBIDDEN (1.44 KB, patch)
2014-06-19 08:38 UTC, Philip Withnall
committed Details | Review

Description Saurav Agarwalla 2014-06-05 13:15:11 UTC
The online picasaweb documentation (https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol#Auth) states the scope as https://picasaweb.google.com/data/ whereas it is defined as http://picasaweb.google.com/data/ in gdata/services/picasaweb/gdata-picasaweb-service.c
Comment 1 Saurav Agarwalla 2014-06-09 17:15:42 UTC
I seem to have stumbled upon this link https://developers.google.com/gdata/faq#AuthScopes which gives the AuthSub/Oauth 1 scope as http://picasaweb.google.com/data/

However, the OAuth 2 scope is https://picasaweb.google.com/data/ as given in https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol#Auth
Comment 2 Philip Withnall 2014-06-15 22:18:44 UTC
(In reply to comment #1)
> I seem to have stumbled upon this link
> https://developers.google.com/gdata/faq#AuthScopes which gives the
> AuthSub/Oauth 1 scope as http://picasaweb.google.com/data/
> 
> However, the OAuth 2 scope is https://picasaweb.google.com/data/ as given in
> https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol#Auth

So that could be the problem, but also the problem could be caused by PicasaWeb not being added as an authorisation domain to the GOA object in gdata_goa_authorizer_set_goa_object() in gdata-goa-authorizer.c. Unless you’ve patched libgdata locally to add that?

I can’t remember from our IRC conversation what changes you’ve made locally and what the symptoms are of the failure you’re experiencing. Can you please reiterate what the problem is? Thanks.
Comment 3 Philip Withnall 2014-06-15 22:20:32 UTC
(In reply to comment #2)
> So that could be the problem, …

I should probably say: I’m not sure it should be a problem, because Google are generally quite good about accepting both ’http’ and ‘https’ for things like this, and also maintaining backwards compatibility for this kind of identifier. Indeed, I think you said on IRC that changing this URI in the source code didn’t help, which means the bug is elsewhere.
Comment 4 Saurav Agarwalla 2014-06-18 06:01:10 UTC
(In reply to comment #2)

> So that could be the problem, but also the problem could be caused by PicasaWeb
> not being added as an authorisation domain to the GOA object in
> gdata_goa_authorizer_set_goa_object() in gdata-goa-authorizer.c. Unless you’ve
> patched libgdata locally to add that?

Thanks for looking into this, Philip. The original problem was solved after modifying gdata_goa_authorizer_set_goa_object() to add authorization domains for Photos. 

However, now I am up against something else. Even, though the service is authorized now, gdata_picasaweb_service_query_all_albums () gives a 
"Authentication required: Authorization required" error. I am trying to find out what is the cause behind it.
Comment 5 Saurav Agarwalla 2014-06-18 11:35:56 UTC
Created attachment 278668 [details] [review]
My local changes

I have attached what local changes I have made and am mentioning a few things to better describe the problem.

Earlier the PicasaWebService I created wasn't actually authorized when checked using gdata_service_is_authorized (). But after the changes I made, it is authorized. However, when using gdata_picasaweb_service_query_all_albums () now, I am getting 'Authentication required: Authorization required' error. 

I have been going through the libgdata code to see if I missed adding anything more but haven't found anything so far.

Also, in case it helps, I added support for PicasaWeb to GNOME Online Accounts in Bug 728877.
Comment 6 Philip Withnall 2014-06-18 16:27:47 UTC
Created attachment 278701 [details] [review]
core: Add PicasaWeb support to GDataGoaAuthorizer

GOA has supported photos for a long time. Grab PicasaWeb
authentication if GOA has already got a token supporting it.

This bumps the GOA dependency to 3.8.
Comment 7 Philip Withnall 2014-06-18 16:28:39 UTC
Comment on attachment 278701 [details] [review]
core: Add PicasaWeb support to GDataGoaAuthorizer

I have committed your patch, since it is a useful bug fix. I'll take a look at the remaining problems later.

Attachment 278701 [details] pushed as 2e9da05 - core: Add PicasaWeb support to GDataGoaAuthorizer
Comment 8 Philip Withnall 2014-06-18 22:32:14 UTC
(In reply to comment #5)
> Created an attachment (id=278668) [details] [review]
> My local changes
> 
> I have attached what local changes I have made and am mentioning a few things
> to better describe the problem.
> 
> Earlier the PicasaWebService I created wasn't actually authorized when checked
> using gdata_service_is_authorized (). But after the changes I made, it is
> authorized. However, when using gdata_picasaweb_service_query_all_albums ()
> now, I am getting 'Authentication required: Authorization required' error. 

The only thing that comes to mind is that the authorisation domain URI used in GOA (‘https://picasaweb.google.com/data/’) doesn’t match that used in libgdata (‘http://picasaweb.google.com/data/’) as you noted before. You could try changing this (line 126 of gdata-picasaweb-service.c), but I don’t think it will fix things.

If you could show me the code of your program, plus get a log of it running, I should be able to debug further. Please run your program with these environment variables set:
    G_MESSAGES_DEBUG=all LIBGDATA_DEBUG=3

Thanks.
Comment 9 Saurav Agarwalla 2014-06-19 06:35:13 UTC
Created attachment 278732 [details]
Log for Photos
Comment 10 Saurav Agarwalla 2014-06-19 06:35:45 UTC
Created attachment 278733 [details]
Log for Documents
Comment 11 Saurav Agarwalla 2014-06-19 06:40:08 UTC
I have attached logs for both cases - when I try to index Documents (which seems to run well) and when I try to index PicasaWeb Photos (for which I am getting an error).

The code which I have added/modified can be seen over my github repo at 
https://github.com/saurav-agarwalla/gnome-online-miners/blob/wip-picasaweb/src/gom-gdata-miner.c
Comment 12 Saurav Agarwalla 2014-06-19 06:44:52 UTC
(In reply to comment #8)

> The only thing that comes to mind is that the authorisation domain URI used in
> GOA (‘https://picasaweb.google.com/data/’) doesn’t match that used in libgdata
> (‘http://picasaweb.google.com/data/’) as you noted before. You could try
> changing this (line 126 of gdata-picasaweb-service.c), but I don’t think it
> will fix things.

I have tried changing it but, as you mentioned, it doesn't fix things.
Comment 13 Philip Withnall 2014-06-19 08:38:46 UTC
Created attachment 278739 [details] [review]
core: Refresh authoriser on receiving SOUP_STATUS_FORBIDDEN

Previously the authoriser was only refreshed on receiving a
SOUP_STATUS_UNAUTHORIZED response from the server. This worked fine for
Google Documents, but it seems that PicasaWeb returns FORBIDDEN instead.
The authoriser was not being refreshed, and hence the user was seeing
access denied messages even though they were technically logged in.
Comment 14 Philip Withnall 2014-06-19 08:54:47 UTC
Looking at the logs, it seems that PicasaWeb returns a HTTP 403 where Documents returns a HTTP 401. The latter triggered the authoriser to refresh its authorisation, whereas the former didn’t — and hence failed.

Thanks for your help in debugging this, Saurav!

Attachment 278739 [details] pushed as 109417f - core: Refresh authoriser on receiving SOUP_STATUS_FORBIDDEN