I have registered my app at https://developer.yahoo.com/apps/BY4faaaa/
How can i grant scope for yahoo mail reading?
How can I enable mail-r scope since it is not being shown in the dashboard?
In this screenshot, are yahoo's [email scopes], but I can't see the one which grants permission to read emails of the authenticated user (https://developer.yahoo.com/oauth2/guide/yahoo_scopes/)
mail-r / mail-w are the correct scopes. I can confirm as I got it working.
I'll tell you Yahoo's dirty little secret: they hardcode a whitelist of acceptable applications. If your app is not in their list, you won't be able to access mail scopes.
Unless, of course, you use the "secret" key from some other open-source app. Until they break it again, of course.
I think you'll be better off telling your clients to switch to a sane mail provider.
You can either transmit in the request body using POST or as part of the query string with GET.
eg: https://api.login.yahoo.com/oauth2/request_auth?client_id=lotsofletters&response_type=code&redirect_uri=https://yahoo.com&scope=openid%20mail-r
Also see: https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html#getting-started-setup
You cannot enable access to those scopes by yourself.
Scopes like:
mail-r (read only), mail-w (read+write) - IMAP (maybe also POP)
sdct-r (read only), sdct-w (read+write) - CardDAV
ycal-r (read only), ycal-w (read+write) - CalDAV
Those scopes are restricted so you have to request developer access from Yahoo. The only scopes which you have access to without the authorization from Yahoo are openid, email and profile.
More information on requesting developer access to restricted scopes:
https://senders.yahooinc.com/developer/developer-access/
Developer access request form:
https://senders.yahooinc.com/developer/developer-access-mail-form/
Related
I have seen other posts that are very similar, but I don't find a real answer. Some say "it is coming", those are old.
I am authenticating with the Admin credentials to our O365 and trying to pull calendar information. The Scope has Calendars.ReadWrite (which falls under App-Only and Delegate as far as scopes), but it always returns a 403. ErrorAccessDenied, "Access is denied. Check credentials and try again"
The Graph doc for calendar views shows it can send in users/{id} in the request, and the id's came back when I listed all the users. Of course if I use mine, it works.
If there really is an App-Only scope vs a Delegate scope for this same scope name, how do you specify that?
Is there something I have to specify in O365 for my admin user so it has rights? I can delete or create any user with that account in O365, so it appears it should have what it needs.
Thanks
So, App-Only has a slightly different flow.
First, instead of authenticating the user at "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", you authenticate them at "https://login.microsoftonline.com/common/adminconsent".
Second, you pass in the same parameters minus "scope". Scope is determined by your Application Permissions defined in you application that you registered at apps.dev.microsoft.com.
Third, when you receive your callback you will not have a "code" to use to go and retrieve your Access and Refresh tokens. Instead, you will receive a "tenant" property and an "admin_consent" property. "admin_consent" will tell you whether you have the rights or not.
Fourth, when requesting your access token, you will not supply the "scope" or "code" parameters, but you will provide a "resource" parameter, with the value "https://graph.microsoft.com".
Lastly, the URL you contact to get the token will change from "https://login.microsoftonline.com/common/oauth2/v2.0/token" to "https://login.microsoftonline.com/{tenant}/oauth2/token", where {tenant} will be the value returned.
Please note that in the URL that "v2.0" is missing. That isn't a typo. If you do not remove that from the path you will get errors about an invalid or missing "scope" parameter.
Once it successfully returns your Access and Refresh token, the flow seems to follow normal delegated access.
Here are a couple of links that Microsoft gave me, with their guidance to help figure this out.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
(Big Thanks to Jeff at Microsoft)
Latest doc is here: https://learn.microsoft.com/en-us/graph/auth-v2-service
I followed it and I was able to read/write other's calendar with permission Calendars.ReadWrite.
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.
I'm trying to use the Email Settings API from within a google marketplace app. Because I need all the logic to happen offline (in a cron job). I'm using an app engine Service Account, but when I'm trying to actually change the email settings for the users of the domain that installed it I'm getting this error:
You are not authorized to access this API.
Error 403
this is the scope: https://apps-apis.google.com/a/feeds/emailsettings/2.0/
I'm probably missing something, but I couldn't find the right docs to show me the way. How would I go about implementing an app that accesses the email settings even when the admin is offline?
You need to set the prn attribute to address of an admin account.
Examples for the directory API are at:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation#instantiate_an_admin_sdk_directory_service_object
In terms of accessing the Email Settings API, you're really unlikely to get people to give you Service Account access to their domain.
On the other hand, if it's your domain (and thus you can add Service Account access), couple of pointers below:
What is important is that you add the following to the header:
"Authorization" = "Bearer <your_token>"
(note the very specific syntax - "Bearer+<1 space>+", as per https://www.rfc-editor.org/rfc/rfc6750 section 2.1)
"Content-Type" = "application/atom+xml"
(important for POST/PUT/DELETE requests, doesn't matter for GET)
that should get you up and running.
We are trying to use google.picker to have our users upload files to our drive account (i.e., the user is not required to have a Google account to upload).
We're trying to use regular Google accounts as application-owned accounts and got our AUTH_TOKEN using OAuth2 and set it using .setOAuthToken(AUTH_TOKEN) . We followed everything described in the docs.
However, when uploading, we got a Server Rejected error. The call to https://docs.google.com/upload/resumableupload?authuser=undefined returned:
{"errorMessage":{"reason":"REQUEST_REJECTED","additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"REJECTED"},"requestRejectedInfo":{"reasonDescription":"agent_rejected"}}},"upload_id":"AEnB2Ur64Gb0JDCk_8mg5EhpdcaqL82wBQHumHjcGvDqYibtksmUzhfhBolsmBFzRuvQPRyi43SYfactJZvIWYrQ6xAqzu3L9g"}}
We know we cannot use service accounts since the picker doesn't support it.
Do we miss something in getting the AUTH_TOKEN? Do we need to something in the console?
Give us a little more code, or check the call to gapi.auth.authorize()
Check that you are using the correct scope to obtain the OAuth token.
Scope should be https://www.googleapis.com/auth/drive
Double-Check the scope declaration:
https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest
Check the call to gapi.auth.authorize()
window.gapi.auth.authorize(
{
'client_id': clientId,
'scope': scope,
'immediate': false
},
handleAuthResult);
from: https://developers.google.com/picker/docs/#hiworld
Without an actual code sample, it is very difficult to say exactly what is going on. Most likely it is the auth token colection. However, it may also be something as simple as not defining a google User (clientID) which in turn impacts the gapi.auth.authorize() call.
maybe this thread can help you: https://groups.google.com/forum/#!topic/Google-Picker-API/PPd0GEESO78
It is about setting the oauth context
or this one:
https://productforums.google.com/forum/#!msg/drive/GDl4uBkkbxM/jRejcxI-EV8J
It is about the type of file you try to upload with autoconvert on..
Use a Google Apps script on Drive with the function doPost to send data to the server. Then write to file with the Drive API. On publish, you have to set the permissions to "accessible to anyone, even anonomous" if doing cross-domain calls. Make the script run under your user name in Google (for testing), but most likely you would want that function moved onto some application-user account in Gmail.
If you need a level of authentication involved, even if the script is made public, you may authenticate against a CloudSQL hosted database and/or with the Jdbc library to connect to an external resource.
The Scope seems to be the problem.OAuth Token must be obtained using correct scope only:
http://tinyurl.com/ldotq4y
Easily replace scope: 'https://www.googleapis.com/auth/drive.readonly' to scope: 'https://www.googleapis.com/auth/drive' . So that you're allow to make change including upload something to your Google Drive account.
I'm trying to implement Soundcloud connect and having a weird issue.
First thing I do is send my users to
https://soundcloud.com/connect?client_id=MY_CLIENT_ID&redirect_uri=http://myredirecturl.example.com&state=RANDOM_STRING&display=page&response_type=code&scope=email
When users connect they get redirected to
http://myredirecturl.example.com?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.&state=RANDOM_STRING
The same happens if I use scope=*.
However, if I use scope=non-expiring it lets me go through, but I need the users email and that type of scope doesn't have enough grants.
I thought it had something to do with my app being in development mode, but Osman at Soundcloud said it doesn't.
Thanks.
The 'email' scope is not available to all integrations. It's used for a few custom integrations that have provided us with accepted terms of service / privacy policies. There is no way to get a user's email address using the SoundCloud API.
You should however be able to use the '*' scope to get an expiring access token. I'll check with our app team to see why this is giving you an error. I'll edit my answer once I have more information there.
For your purposes, I would stay with the 'non-expiring' scope and simply prompt a user for their email address (providing them with a way to agree to your terms of use / privacy information).
Using scope=* sometimes doesn't work because the url is not properly encoded. If you are getting this error while using the * wildcard, try properly encoding the url, using a function like urlencode() (for PHP).