TripIt: 1) call oauth_callback to authorize URL, 2) error message: state token is invalid or has expired

[wivaku]

I am trying to use the OAuth1 library for TripIt.

Issue 1:

By default, the authorization URL that is created by the library is:
https://www.tripit.com/oauth/authorize?oauth_token=7af4...96c

But TripIt expects the URL to be:
https://www.tripit.com/oauth/authorize?oauth_token=7af4...96c&oauth_callback=https://script.google.com/macros/d/MrG...b6R/usercallback

Q: is there a way to automatically create the correct URL? I now add the callback manually.

Issue 2:

With the correct URL I get a TripIt authentication page. When I click Allow the Google Apps Script macro page is opened, with the error message: The state token is invalid or has expired. Please try again.

The URL of that macro page:
https://script.google.com/macros/d/MrG...b6R/usercallback?oauth_token=7af...96c

Q: what is the cause / fix of this?

The code I use to create the service:

  return OAuth1.createService('tripit')
      .setRequestTokenUrl('https://api.tripit.com/oauth/request_token')
      .setAuthorizationUrl('https://www.tripit.com/oauth/authorize')
      .setAccessTokenUrl('https://api.tripit.com/oauth/access_token')
      .setConsumerKey('73b...458')
      .setConsumerSecret('2a7...a5d')
      .setProjectKey('MrG...b6R')
      .setCallbackFunction('authCallback')
      .setPropertyStore(PropertiesService.getUserProperties())

The TripIt API documention:
http://tripit.github.io/api/doc/v1/index.html#authentication_section

Thanks in advance for any suggestions!

[erickoledadevrel]

Add .setParamLocation('uri-query') on your service to specify that the OAuth parameters should be passed via URL instead of the Authorization header:

https://github.com/googlesamples/apps-script-oauth1/blob/master/Service.gs#L79

As for the second issue, ensure that you are using the right project key.

[wivaku]

Thanks Erick for the quick reply.

I believe the setParamLocation is used for the other steps in the process.
The authorization URL is just a URL (not a POST request), right?
And, for those other steps: TripIt does expect them in the auth header, so the default option should be ok.
To be sure I tested it as you suggested:

• the URL still needs to be manually modified to include the oauth_callback parameter
• the same macro error message

I double checked: the project key is correct.
When I use an incorrect project key I get a different error message: Sorry, the file you have requested does not exist
Are there specific permissions needed?

update: here is the list of combinations I tried:

• .setParamLocation('auth-header').setMethod("get"): no oauth_callback in the URL (and no state)
• .setParamLocation('auth-header').setMethod("post"): same
• .setParamLocation('uri-query').setMethod("get"): same
• .setParamLocation('uri-query').setMethod("post"): same
• .setParamLocation('post-body').setMethod("get"): TripIt API error 102.1 - consumer key is missing
• .setParamLocation('post-body').setMethod("post"): TripIt API error 104.1 - invalid signature

[wivaku]

For the macro URL, I noticed it looks different than the one in the other issue:
https://script.google.com/a/macros/fancy-domain.org/d/ProjectId/usercallback?state=ADE...ygJf&oauth_token=b4f...92e&oauth_verifier=d30...225

In mine there is no oauth_verifier or state.

[erickoledadevrel]

I just submitted commit a3fb1f1, which should resolve the issue. Tripit uses OAuth version 1.0, instead of 1.0a which the library was setup for. I made changes to support 1.0, and tested it with the Tripit API. Update to the latest version of the library and call setOAuthVersion('1.0') when building the service.

[wivaku]

Fantastic Erick!
Thanks for the very quick and very useful response.
I can confirm it works great now.