List item
I have created a Google App Script REST - Application (starting with "script.google.com/"), that works with HTTP-requests.
The application works fine when it is available to 'everyone, even anonymous' but when I set it available to my domain only [EDIT:] OR "only myself" from the publish/deploy as WebApp[/EDIT], I can only access the web app with browser and signing in but not with http request.
I have tried requesting an authorization token with both Google OAuth Playground and an android application based on a Xamarin Auth Tutorial.
Both methods have resulted me a working authorization token that I can copy+paste to an other platform an confirm it is working with a request to https://wwww.googlapis.com/plus/v1/people/me.
I can access the Web app with browser and signing in. Now when I call my script with http request I get the following result:
"<HTML> <HEAD> <TITLE>Unauthorized</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <H1>Unauthorized</H1> <H2>Error 401</H2> </BODY> </HTML>"
I have tried to call the Web App with another App Script:
var headers = {
"authorization": "Bearer [access_token]",
};
var params = {
method:"GET",
contentType:"application/json",
muteHttpExceptions:true,
headers:headers,
};
var url = "https://script.google.com/[rest_of_the_script_url]";
var response = UrlFetchApp.fetch(url, params);
Also I have tried calling the Web App with C# OAuth2Request (Taken from the Xamarin tutorial):
var url = "https://script.google.com/[rest_of_the_script_url]";
var request = new OAuth2Request("GET", new Uri(url), null, account );
Also I have tried C# HttpWebRequest:
string accessToken = "Bearer [access_token]";
string url = "[https://script.google.com/[rest_of_the_script_url]";
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.create(url);
request.Method = "GET";
request.ContentType = "application/json";
request.Headers.Add("Authorization", accessToken);
var response = request.getResponse();
All previous methods have the same result: "(401) Unauthorized".
For scopes I have set:
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.email
My WebApp does not require any scopes according to it's properties.
[EDIT:] Also to make sure it does not I did set a doGet() method as simple as possible:
function doGet(e)
{
return ContentService.CreateTextOutput("success");
}
This question has been asked before, but some have found the solution and some have not. Also I did not success with the answers either.
I think my first attempt covers this one.
I tried to translate the Java answer to C#
Ok, thanks for reading down here, wish some one can help me out with this as I'm running out of ideas (and time, eventually).
EDIT:
Though the issue has resolved and turned out to be a scope-issue I am answering the questions in the comments below, in case this question might be of any help to anyone in the future.
I was able to get this to work with an access token authorized with the https://www.googleapis.com/auth/drive.file scope in the Google OAuth Playground.
That doesn't seem quite right in my opinion, but it's the least permissive scope I got to work.
Related
Integrating older ASP.NET server-side application into ADFS for authentication, which means I pretty much had to write everything from scratch. have everything working (/authorize, /token) up until the /userinfo call.
My code, in a nutshell -
HttpClient client = new HttpClient();
var req = new HttpRequestMessage {
RequestUri = new Url("https://<server_ip>/adfs/oauth2/userinfo"),
Method = HttpMethod.Get,
};
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.AccessToken);
req.Headers.UserAgent.Clear();
req.Headers.UserAgent.Add(new ProductInfoHeaderValue("OldApp", "11.3.0"));
var result = await client.SendAsync(req);
The result is a HTTP error 405 - Method Not Allowed. Doing searches online, I see this as a common issue when the trailing "/" is left off the url, but I get the same result with a trailing slash.
After poking around, there are a lot of examples that use newer libraries and such that I can't use, sadly. None mention usage of the /userinfo, and I'm thinking that the issue isn't necessarily in how I'm calling the URL, but configuration of the 'Application Group' in ADFS.
Okay - I found the issue, and will document it here in case others come across the same thing..
While I am not sure why /userinfo is giving a 405 - the URL I was using is wrong, despite it being listed in the Endpoints folder. There shouldn't be any "oauth2" in the URL. The correct code (and URL) is:
var req = new HttpRequestMessage {
RequestUri = new Url("https://<server_ip>/adfs/userinfo"),
Method = HttpMethod.Get,
};
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.AccessToken);
req.Headers.UserAgent.Clear();
req.Headers.UserAgent.Add(new ProductInfoHeaderValue("OldApp", "11.3.0"));
var result = await client.SendAsync(req);
Also something to keep in mind - this has been stated elsewhere, but not as clearly as here, I hope:
The /userinfo will ONLY give you the NameIdentifier ("sub") claim. (As far as I can see.) No matter what scope you pass it. You will get all your information (that should normally be in the /userinfo call) in the "id_token" parameter from you /token call, encoded as JWT.
Personally I was led to do the same thing as you, the only solution was to download the ADAL library (You will find the link below) and debug the code in order to re-produce the same HTTP stream from ADAL.
You can create a new project so that you can integrate ADAL, for debugging or else intercepting the HTTP stream
Link ADAL
I'm trying to upload a photo using the Picasa Web Albums Data API in C# and I'm using RestSharp to help me with the HTTP requests.
I have the client ID and the client secret, but I don't know how to put that on the http request to make the authentication.
I'm getting the error:
Modification only allowed with api authentication.
The StatusCode that is returning is Forbidden
Here is my code where is my user ID and is my album ID.
The method "Authenticantion()" returns a token that I already have.
[HttpPost]
public string PostImage(){
var restclient = new RestClient(BaseUrl);
RestRequest request = new RestRequest("https://picasaweb.google.com/data/feed/api/user/<userID>/albumid/<albumID>") {Method = Method.POST};
string imageBase64 = "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAIUAyAMBEQACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAAAAQIDBAUGBwj/xAA6EAABAwIDBgMFBgYDAQAAAAABAAIDBBEFITESE0FRYXEGIpEUMkJSgSMzYqGx0QdDgpLB4TVTchX/xAAaAQEAAwEBAQAAAAAAAAAAAAAAAQIDBQQG/8QAMREAAgIBAwMDAgMIAwAAAAAAAAECAxEEEjETIUEFMlEiYRRCkSMzUoGhsdHhNHHx/9oADAMBAAIRAxEAPwD3FACAEAhNkA3eM29jbbt2vs3zsoyuAOupAqAEAIAQAgBACAEAIAQAgBACAEAIAQAgBACAEAIAQHmuNfxbw6mdUx4dRzVIieWNqLjdvIyJGdyL8eKxnbjsuT1Vafd3lweTYx4sbisrq+eB7nSEh0r7B3qNOnJYKpuXd9z2SuShiKwj1Dwx4nw6WppW4dLNE6Vzd5Bsm0Y47V8lza650XdSUsL+hWVfUi8dz1FrgRdpuOi7yaayjltY5FUgVACAEAIAQAgBACAEAIAQAgBACAEAIAQAgBACA+WMQpGYfUzYdUl0LaV7omGUZua0kA+i8UstvB168OKJcOo4a2WKjpm3iik3jnvGVwf04WWVk3FOTNopP6T0ajw+Cima+NgjEoIDguDZfOyDT8HpUYo3KXFp6c7hz3MeORycOYVY6i2lfRLseedMJvg0I8YqOEzvqVovUblxIyelh8FuHHKgZOLHjsvRX6tcvdhmMtHHwX4MbiebSsc3qMwuhV6tXLtNYPNLSyXBoQ1MU33cjXdL5roV6iqz2SyeeUJR5RMtioIAQAgBACAEAIAQAgBACAEAIAQAgBAeK/xHwanxfGhK8ENjndtluV22zHqFw43OF1qXydiFalXHPhGRhrGU+J7IY1jZQAABYDkpt71myWGdjFEKuhdBtBr2+aN54EaLjb1XZ34Zq35K1PWMqmmmrWbM0brFpNnNPQq1lU6frqeUThM04qcAACZ3dwzXkzGfddiHLHKJN1PHYtAcPw5qHBruhvhIfHUcDe6je1yVdZZZOrK15MZQL1PidRFk2Qub8rs17qvU76+Hkwnp4S8GjBjLTlPER1bmunV61F/vI4PNLStcMux4hSyaSgf+sl0Ia/Tz/N+vYxdM14JmzRu917T2K9KthLhme1/A8EHRWyiAupAIAugAuaNSAo3JDDAOB0IKKSfAwwupAXQCoAQAgBAVcRq20VHLUPt5BkOZ4LDU3qip2PwaVVuyaijyrFyZWukc67r3J5kr5ume6XfydvG1YOfmLWP27jJtwV0EsrAZ2eHwyFokAIBANlxrI7m0XTwT1eHU1e5rpBu52izZG5ZcjzCtVa61tfBTLi8kFqmjLWT+ZugeNCsLaYvvE3i4zXYtwzg6HNYqbj2ZnKD8k5cyUfagO68Qrb0+zM+8eBjqZ4zhdtjiDqqurPeJZWL8xEJSw2NwRzWWJRL7U+CRtQeao7JIzdZIKm+pRXMr0x2+B4qeqV2D2zn5leN0/kjYPFS8fG5bLUWLyV6aFNZIB9471V/xdq/MOkn4GGtedXOP1Vfxc3yy3SQ11TfUrN6hkqsYZwq9b7k7Bpq5Izdkj29nFFqbE/pb/Ut0ovlFSHxXiVH4soqWd28wuZgjffZ2myONmkHW3Puvq/SdROyn9o8vJ4NXQovMUeijRdc8AqAEAIDnMdf7bLuAfsozc24uXz/qM+vPYn2X9/8AR0dKumt3lnN1uFxPa/XMWXMblU+zPepbuTk6/D2xzNa4eRxsujTfvjnyS4ncxEBthwOS5tc/pyUku4Scx7ymXdExHsex7Cx4DgciCFRPHJSUWnlGbV0z6S8sV3Q8ebVEq4yPTXap9pciwVYyDl5pVSjwTKousnGVlVTweeUCVzmSi0rQR+a06ifZoot0e6ZXdSDWKT6OUOMXwzVXfKGmlnA0a7sVR0PwSrIMaYphrE/6BUenl8E5g+GJaT/rf/aVXpteB9PyOG+Okcn9pU7LPgj6fkeIah38p31VlVY/BG6C8i+zTH3nMb9bqypl5ZHUiOFMB78p+gU9KvyyHY/CF3EI+Y93Jsq+CN8hRBAdR+alQgRvmUqvC8EfUMqqqmifNEQ5j3EktINxbrde/T6qdXaLIlCVnKLPhPxlPX+JJ8Jrjk9hkpy5lnC2oNsuoX1NFvUjlnMvqUH2O9XoPOCAhqpNzTySD4WkrK6eytyLQjukkcq59ma3XyykddRKkrrleeyXc3ijBxyn3lO4MyeR5TyPBX0dm2Zo+DQoKts8TJWnJ7Q63JYNOqTi/BEllFouvxV9xVITatmCqSfwTjJaglDhb1UxsXkxlHBn12HFhMtILt1MY4dv2Wrxg9FV/wCWZUhmIzaVhOtPk9EoJlyOrys5YOtrgwlT8E7Khp4rJyceUZOtkrZRwJUq37mbiSNlWsbXjko4jzMeDj6rTq/cbRu8cfiNk6n3J2oa6QNGbh6qrn9wo58ED6uFurgT0Ue7hGqpk/BWkxBvwNv3V1S33ZtHT/LKzq2VxysB0WnRWDTpQQ0zSO1cVCqihiK4InXdqtFiPBGfBueE8ABxRmKyR7Lo2lrXfNdd70uNrTlL2+Dka6yDe1cndLsHOBAU8X/4+bt/leTXf8eRtp/3iOScciF8pux2OwkQOuVjOXc0KlXHtxFUpntmW8GJhdR7JVS4fIciTLD2JzH0P6hdPU1dWKsX8ysX4NyOXJc5pouSNeLqNwaHA7OipIjBcgqBo7Iq9d2O0jCVb5RHV4fFVXfE7dy87ZHuvQseCa75Q7Pgy5opqV2zMy3JwzBUNZPdCcbFmI0PHBVwWwOEjho4qjhF8oq4pj9+/wCb1VHTAr00G/f8wRUxI6aGmZ/zFXVUfgtsRE5xOpK0jHHBbjgiLraLVINiHNTgqOaFVsq2TsjJsAsZTKs6LA8C3pE1SLMB0PFdnQemueLLl2+Dm6rWL2QOtYxrGhrRYDIAL6BHKHKQCAr1zN5SStAudk2WGpjvpkvsXrltmmcbLkvjLHhncRAVhJlsDHC+SybLGHjeHPlaJaYtbURO24nHS/I9DoupotUvbLhhxzwJhmICqhuGljgdl8bveYeIK01Gm2MJmkx99F4ZRLkrX81m0B97rNoholildGcjkoUnHgpKKkXGVMb27MgB6ELeN6fZmDra7ohlwuknF4iYnfh09F6IyUuGXjqbIc9ypJg9Uz7t8cg9CrbTeOsrfuWCu+jrI/egf/SLquEaq6qXDIXCRps6N47tKYRonF+Rm0eRTCJwIS46NJ+issEDDtX913orJogGi7w0uFzoCcyrN9smbwa9BhlTVEbqM2PxHRVq012of7OPb58Hntvrr9zOowvAIqbZkn87+XBd3Sel10vdPvI5V+snZ2j2RuNFhYaLqnjFQAgBAIUBx+LU/s9VJGB5b3b2K+P9Qp6VridnT2b4JmcuVk9ItlVgY5oKopbXknJgYrhksUxraIHefzIx8Y/ddrSayM49OwnHlDaGvbM0WOfda3adxJTNNkgdoV4ZQZYla/qspRBIHhZODK4H3BVHFkYHMkcw3Y4hFuXBDinyTtrZW62PdaRusRR0xHCvePgH0Wn4iXwV6CYv/wBF/BqdeXwPw6GOr5fwqOrJk9CI32+XoE6kiehAa6vmdq4eiOUnySqIIqzOpZaiOonpYJJ4zdkroxtNPQrWq2+HsYlp4SLjfEdRTQhkRyGnFdOv1LVpY7GD0NWe5Vq/4jT4U6GSsonT0xfaV8Vg5g5gcV1dJq7LMqw8t+kjHvE9FgmZUQsmicHRvaHNcDkQV0jnvsSIAQAgBAZHiCk30G+YPNHr1C5Xqmm6te9cr+x69JbtltfDOUeNk5L5Ca2s66AFUZIEXVJIqNLcrWVFJplsmRieC715npCGTHUH3X9+R6rq6X1FRW2zgnOTNhrZYJDDUNdG8atcM/8AfddJ1QsW6DyiU/k0IqsOAIddeWVDRYssmBzWDrYJBL1WbrA7eqvTAu96qOmQG9TpAN6mwCbxTsAhkUqAGmRXVYyRudtZK6WAyNzNpaKWCuCtUYU7ER7O2Mvc/Jo5Femi2W9KHJlYo7cy4PVsHpBQYZS0gNxDE1l+wX1COC3kuKSAQAgBAI5oc0hwuCjBx2MUTqSoLQPs3ZtP+F8h6lo+hZ2X0vj/AAdnTXdSHfkzNCuPhnrHNcoIY5UcSoiyaBFVUdPWM2J4w5vC+o7LanU2UvMGMsxpvD88Xmopw4D4Zcj6hdar1WEli2P81/gspEQjrqf76lksOLfMPyXoVuns9kl/YumhzKi+RuO4sjrJRIJ+qp0y2B296hRsGBRIeahxGBwe7RRhENAXuU7UVAbR1JTsVHtaSqOSBMyIHusZWElyloXzyBsbddTyW+l0l+qf09l8mF19dS78nVYPhUNGA8jblOrivqNLoq9MsR5+fJyLtRO55fBtNGS9ZgKgBACAEAICriFHHWU7o368DyKxvohdW4T4L12OuW5HFVdNJTTGKVtnD0K+L1Wknp7Nk/8A07lVsbY5RBdeRrJqK11lRxaIaHhwVH9yMAqbRgLkaJgYF2uKrhkYAuB4XRJrgnDEuPlCt9XyO41xYAfs2+i0ipfxE4fyQmVrdI2jsFuqpPmTL4+5z3ip9e9sE9BLI0w7RLGNvckakceX1XY9OhUsxn5+Tz3qa7wLuFyGqoKadzTvJImucNmxvxyWV0GrHFLz/wBmkbE4KT7GhHTSvOTD6KY6TUz4gykr6o8yLsOGTvObLd8l6q/R75e9pf1PPLX1L29zSpsHtYyuHYBdCj0iivvL6meSzW2S9vY2KWBkQ2WNsF1UsLCPHk0IhZATDRAKgBACAEAIAQFDFMOir4rOFnj3XDgvPqNPXqIbJo0qtlXLMTi62lmo5THM2x4Hgey+S1egt00vq7r5OzTfG1duSDaXjwbjmvVHAD9pZusBtKNhGAumwBtAIoNkjHSALSNIwROmvkt41YLELnDhqt1FkixRue8C13HQLaqieolsrRlbdCqOZHUYfh7ImXLBtHVfWU1RpioxODZZKbyy+2BrdAAtTMkbGgJGMQFiONAWGCyAegBACAEAIAQAgBAVK6hhrIiyZlwqygpLbLglNxeUcbimD1NDd8bXTQ9PeH7rhar0fDcqP0OlTrVxZ+pltkBzByXFnU4vbJYZ74yUu6Hh6z2Fhd51TYBDKp2AY6Q2V1WgRF7itFFEgGucjaROSSKMvkEcTduQ8OXUrbT6WzVPC4+TC7URqXfk6XCcJENnyeaQ6lfU0aeGnhsgv9nEstlZLMjabFbQLYzHiK6AkbEgJWxhAStaAgHIAQAgBACAEAIAQAgBAMfG14sQgMTEvDlLVkuDNiT52GxWdlMLViayXhZKHtZz9X4ar4M4JWSjk8WPqFzbPSapextHshrpL3LJmS0mIQ3EtFJ3YQ7/AH+S8c/Sblw0z0R11b5IDIWe/FK3vGV55en6hflNVqqn+Ybvmng8/wBBUfg9R/Cy3Xr/AIkSxMmlNoaaZ/Ztv1WkPTdRJ8YM5ayqPk06PAa+ozm2YWHgDdy99PpMI97Xn7Hls17faCwdNhuCw0bfI3Pi46ldaMYxWIrCPA5NvLNQRADJWIHCNAODEA4NQC2CAVACAEAIAQAgBACAEAIAQAgBAIQCgI3QxnVqAidRQO1YEA32Cn+QICRlLE3RgQEzWNboEAtkAWQCoAQAgBACAEAIAQAgP//Z";
request.AddParameter("client_id", this._clientID);
request.AddParameter("client_secret", this._clientSecret);
request.AddParameter("grant_type", "client_credentials");
request.AddHeader("GData-Version", "3");
request.AddHeader("Content-Type", "image/jpeg");
request.AddHeader("accessToken", Authenticantion());
request.AddBody(#"Content-Length: 5951
Slug: banana.jpeg " + imageBase64);
var tResponse = restclient.Execute(request);
var responseJson = tResponse.Content;
var token = Authenticantion();
return responseJson;
}
The OAuth2 authentication normally happens inside a user flow, where the user makes the login with the user and allow (or not) some scopes to the app (e.g. access Picasa, read only for Google Drive).
You can check the complete flow through this link: OAuthPlayground. And get your own token at the end of the flow to use with your HTTP requests. One thing to take care is about refresh the tokens, inside the playground it's possible to set to never expire. But on the real world you would need to implement this refresh.
The Picasa API is a little outdated, I'd recommend you to use GoogleDrive instead, it's much more flexible and up to date.
GoogleDrive_API_Docs
It's also possible to make this flow via OAuth2_ Server to server, but I never tried before.
I am struggling to call APIs hosted in Google Cloud https://apis-explorer.appspot.com/apis-explorer/?base=https%3A%2F%2Finnovative-glass.appspot.com%2F_ah%2Fapi#p/mirror/v1/
Up to my understanding, APIs are exposed as REST service. I need to make rest service call from .net application.
I have done OAuth Authentication. I am passing access_token as per the guidance given https://developers.google.com/accounts/docs/OAuth2WebServer
My Code:
UriBuilder uriBuilder = new UriBuilder("https://innovative-glass.appspot.com/_ah/api/mirror/v1/timeline");
string userId = Session["userId"] as string;
var state = Utils.GetStoredCredentials(userId);
NameValueCollection queryParameters = HttpUtility.ParseQueryString(uriBuilder.Query);
queryParameters.Set("access_token", state.AccessToken);
uriBuilder.Query = queryParameters.ToString();
var request = (HttpWebRequest)WebRequest.Create(uriBuilder.ToString());
request.Method = "GET";
var response = (HttpWebResponse)request.GetResponse();
I am getting UnAuthorized exception.
Is my understanding is right? Am I doing right way?
It seems that cloud endpoints don't use the Google API default of accepting access_token as query parameter. According to the Discovery document the equivalent query parameter is oauth_token so it should work with:
queryParameters.Set("oauth_token", state.AccessToken);
Alternatively (which in my opinion is the better solution) you can also set the Authorization header of the request instead of adding the token as query parameter:
request.Headers.Add("Authorization", "Bearer " + state.AccessToken);
Where are you getting the AccessToken from, and are you sure it is still a valid token? Remember that access tokens expire about an hour after being generated, although can be revoked earlier.
Clicking on the sign-in button at innovative-glass.appspot.com gives me an origin mismatch error, so it looks like you may also have a configuration issue.
Have you been able to get it to work using just the API Explorer?
After Twitter deprecated their Twitter API 1.0, I've tried several methods in order to get the 1.1 API working for my Windows 8 application. However, what you see below is basically what I've ended up with:
public List<UserTweet.User> jsonFromTwitter;
private async void fetchTweet()
{
var jsonTwitter = new Uri("http://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=stackoverflow&result_type=recent");
HttpClient client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, jsonTwitter);
var oAuthHeader = "OAuth oauth_consumer_key=\"XXXXX\", oauth_nonce=\"XXXXX\", oauth_signature=\"XXXXX\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=\"1318622958\", oauth_token=\"XXXXX-XXXXXX\", oauth_version=\"1.0\"";
request.Headers.Add("Authorization", oAuthHeader);
var response = await client.SendAsync(request);
var responseString = await response.Content.ReadAsStringAsync();
jsonFromTwitter = JsonConvert.DeserializeObject<List<UserTweet.User>>(await client.GetStringAsync(responseString));
//listbox.ItemsSource = jsonFromTwitter;
}
However, this won't do much good, and it switches between mainly a couple of errors. One of them can be seen below, and the other one is "Could not authenticate user" or similar, basically there's something wrong with the headers as far as I've understood.
Anyone got any ideas on how to construct a working OAuth header for this? I'm clueless at the moment.
There's a lot more you need to do for the value assigned to the Authorization header - plain text won't work. The following pages in the Twitter OAuth documentation might help you get started in the right direction.
Twitter's Docs have a section on Authentication
Authorizing a Request
Creating Signatures
I am trying to unshorten urls and have not been able to find code (vb.net/c#) to do this. These are the twitter shortened urls and I guess I could try and access one of the web services available and do a httpwebrequest but would prefer to find some programmatic way of doing this.
You can get it directly from response of the shortened url since it will return a status code MovedPermanently and the location for the real url.(This should work for most of the sites without the need for navigating to the real url)
HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://t.co/xqbLEi6s");
req.AllowAutoRedirect = false;
var resp = req.GetResponse();
string realUrl = resp.Headers["Location"];
Other test data: http://goo.gl/zdf2n , http://tinyurl.com/8xc9vca , http://x.co/iEup, http://is.gd/vTOlz6 , http://bit.ly/FUA4YU
There is no magic way to unshorten a URL without asking the service which created the URL (and the way to ask will be different for each service), or more pragmatically, just opening the URL and watching where it redirects to.