2 Legged OAuth in Python

Google Apps Premier/Education administrators can take advantage of 2 legged OAuth to communicate with the Google Data APIs. If you're using the Google Data Python client library 1.2.3+: An updated sample is here available here. Otherwise, if you're stuck with an older version of the library (< 1.2.3), you can use the Python OAuth library from oauth.net.

import urllib
import oauth
import gdata.contacts
import gdata.contacts.service

CONSUMER_KEY = 'yourdomain.com'
CONSUMER_SECRET = 'YOUR_CONSUMER_SECRET'
CONTACTS_URL = 'http://www.google.com/m8/feeds/contacts/default/full'

# Setup 2 legged OAuth consumer based on our admin "credentials"
consumer = oauth.OAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET)

user = 'any.user@yourdomain.com'
params = {'max-results': 50, 'xoauth_requestor_id': user}

# Construct the request manually and sign it using HMAC-SHA1
# Note: The params dictionary needs to be passed in separately from the base URL
request = oauth.OAuthRequest.from_consumer_and_token(
   consumer, http_method='GET', http_url=CONTACTS_URL, parameters=params)
request.sign_request(oauth.OAuthSignatureMethod_HMAC_SHA1(), consumer, None)

# See patch @ http://code.google.com/p/oauth/issues/detail?id=31
headers = request.to_header()

client = gdata.contacts.service.ContactsService()

# Query the user's contacts and print their name & email
uri = '%s?%s' % (request.http_url, urllib.urlencode(params))
feed = client.GetFeed(uri, extra_headers=headers, converter=gdata.contacts.ContactsFeedFromString)
for entry in feed.entry:
 print '%s, %s' % (entry.title.text, entry.email[0].address)

Secure AuthSub in PHP

A helper for sending a signed HTTP GET request in PHP.

// upgrade a single-use AuthSub token
$response = signedGET('https://www.google.com/accounts/AuthSubSessionToken', $singleUseToken);

// fetch Calendar data
$response = signedGET('http://www.google.com/calendar/feeds/default/allcalendars/full', $sessionToken);

<?php
function signedGET($requestURL, $token) { 
  $privKeyFilePath = "../myrsakey.pem";
  $timestamp = time();
  $nonce = md5(microtime() . mt_rand()); 
  $sigalg = 'rsa-sha1';
  
  // construct the data string
  $data = "GET $requestURL $timestamp $nonce";
  
  // get rsa private key
  $fp = fopen($privKeyFilePath, "r");  
  $priv_key = fread($fp, 8192);
  fclose($fp);                                

  // compute signature
  $privatekeyid = openssl_get_privatekey($priv_key);
  openssl_sign($data, $signature, $privatekeyid, OPENSSL_ALGO_SHA1);
  openssl_free_key($privatekeyid);

  $curl = curl_init($requestURL);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_FAILONERROR, true);
  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  
  // Set Authorization header 
  $sig = base64_encode($signature);
  curl_setopt($curl, CURLOPT_HTTPHEADER, array(
      "Authorization: AuthSub token=\"$token\" data=\"$data\" sig=\"$sig\" sigalg=\"$sigalg\"")
  ); 
  
  $result = curl_exec($curl);
  curl_close($curl);

  return $result;
}
?>

Signed AuthSub in Ruby

Example code for signing an AuthSub request in Ruby. Contributed by an awesome guy named Immad. Watch out for the groups linebreak in his line that starts with header =, though.