Hacked around the whole day trying to get my domain working together with the AuthSub authentication method working with Himiko.
Finally nailed down on some key methodology for it. Here is what i think should get things working smoothly. A few things to note though, i insist on using the secure token exchange for AuthSub, and this requires a working x509 certificate. Here are the pesudo steps of what i did to make it work. Oh… and i used PERL.
The workflow that i have is as follows
- Load authentication page. This loads the Single use AuthSub request.
- AuthSub request redirects to login page for sessionToken exchange. login page also handles the sessionToken anyway it wants to reuse that token.
1) Create a new ssh private public key pair for use for AuthSub secure authentication. i did this by using ssh-keygen -t rsa.
2) Create a new CA based on this private public key pair. I used something like
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
3) Write the code meant for creating the single-use AuthSub token and re-direct it to your own script that would extract the token from the Query String.
4) Use Crypt::OpenSSL::RSA and load up the private key generated from (1). At the same time verify from http://www.google.com/accounts/ManageDomains that the certificate that you created from (2) was uploaded and ok.
5) Sign the GET request for the session token using the sign method from the PERL SSL package. At the same time, use MIME::base64 to encode it to the base64 representation. Mine was something like
my $authsigned = encode_base64($rsa_priv->sign($authdata),””);
6) Put all these information together as mentioned in http://code.google.com/apis/accounts/docs/AuthSub.html#signingrequests. The thing to note would be that you sign ONLY the “data” part of the Authorization header. NOT the whole Authorization header.
If done right, at this point, you should be able to get a session token authorized for use to the scope defined for your AuthSub request.