0

Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:

https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE

However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).

Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...

Thanks!

Kara
  • 6,115
  • 16
  • 50
  • 57
jnfr
  • 941
  • 3
  • 9
  • 21
  • 1
    POST data is just as accessible to an intruder as GET data. Using POST instead of GET provides exactly zero added security. – Jordan Running Apr 26 '12 at 05:36
  • possible duplicate of [If you use https will your url params will be safe from sniffing?](http://stackoverflow.com/questions/893959/if-you-use-https-will-your-url-params-will-be-safe-from-sniffing) In which HTTPS traffic, QueryString parameters are encrypted when using HTTPS as you have linked. – Erik Philips Apr 26 '12 at 05:39
  • I guess the issue I'm trying to fix is "Session token in URL" which my security suite keeps yelling at me for. This pops up only for GET requests, but disappears for POST requests. Nevertheless, any idea how I can get POST requests to work for fetching contacts from Google? – jnfr Apr 26 '12 at 05:40

1 Answers1

3

To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.

The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:

Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg

Using OAuth 2.0 to Access Google APIs

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • Ah, I guess there's no way around this one. Thanks! – jnfr Apr 26 '12 at 05:50
  • Oh, yes I understand that part! (Thanks again!) I mean there's no way around this entreprise software complaining about security here. :P – jnfr Apr 26 '12 at 05:58