Method BatchUpdate just doesn't work with API Key auth.
Response:
{ "error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Try this API with API Key doesn't work too.
I didn't find anything about that. What's going on?
Method: spreadsheets.batchUpdate states
Authorization Scopes
Requires one of the following OAuth scopes:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/spreadsheets
You error
"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
States that you are required to be authenticated and that Oauth 2 access token is required.
You said you tried with API key. API keys are used for accessing PUBLIC data. In order to access private data you need to be authenticated. Which is what the documentation stated.
In order for that try me to work you will need to use Google OAuth 2.0.
Related
I've a Node.js API which is authenticated using passport and passport-azure-ad's OIDC strategy.
After User's authentication I get User's profile, access_token, refresh_token, sub and ISS.
Then I use the same access_token to get User's details from Microsoft graph using this API - https://graph.microsoft.com/v1.0/me
When I request, it prompts me this error,
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "04048b3a-7636-4197-88ef-1f08d3a07c9e",
"date": "2018-12-26T09:40:58"
}
}
}
When I use OAuth 2.0 and get the access_token and use that access_token to access the same API, the details are returned successfully.
Although even I tried matching the access_tokens returned by Open ID connect and OAuth 2.0, they differ despite logging in as a same user.
I don't understand why the access_token returned by the Open ID connect didn't worked.
I am trying to fetch auditDetails of YouTube channels.
As per official API docs (https://developers.google.com/youtube/v3/docs/channels/list) I am supposed to provide an authorization token that contains the https://www.googleapis.com/auth/youtubepartner-channel-audit scope.
Authorization
A request that retrieves the auditDetails part for a channel resource must provide an authorization token that contains the https://www.googleapis.com/auth/youtubepartner-channel-audit scope. In addition, any token that uses that scope must be revoked when the MCN decides to accept or reject the channel or within two weeks of the date that the token was issued.
I am currently trying to fetch a YouTube channel's auditDetails by hitting following URL:
https://www.googleapis.com/youtube/v3/channels?key=xxxxxxxxxx&id=UC9eSXrzVl9ZFLwsNSBgvTog&part=auditDetails
But, it is returning an Insufficient Permission error as follows:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "insufficientPermissions",
"message": "Insufficient Permission"
}
],
"code": 403,
"message": "Insufficient Permission"
}
}
Can someone suggest me an approach to generate youtubepartner-channel-audit scope for various YouTube channels.
The error you have encountered means that:
The OAuth 2.0 token provided for the request specifies scopes that are
insufficient for accessing the requested data.
You can request for authorization of auditDetails part for channel resource:
Must provide an authorization token that contains the
https://www.googleapis.com/auth/youtubepartner-channel-audit scope. In
addition, any token that uses that scope must be revoked when the MCN
decides to accept or reject the channel or within two weeks of the
date that the token was issued.
After that, you can add your scope to the OAuth sign-in request.
In order to introduce scopes, an authorization token containing those scopes needs to be created.
Authorization credentials can be created via the Credentials page in the API Console.
Create credentials
But before creating OAuth client ID authorization credentials, user is required to set a product name on the consent screen.
On the consent screen itself user can add multiple scopes as per application requirement.
Add scope
i'm trying to integrate the Fitbit SDK in my iOS app. I have created project on fitbit now i'm running there API in Postman to check profile, but in response it is showing me invalid access token,
{
"errors": [
{
"errorType": "invalid_token",
"message": "Access token invalid: 39ec7defa6f0e33b314bbf6217279b15. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
}
],
"success": false
}
This is my API https://api.fitbit.com/1/user/-/profile.json and this is what i'm passing in header, Authorization : Bearer Client Secret But it is showing me status code 401 having error of invalid access token . How can i get the access token for my app?
You need to get an OAuth2.0 token from the FitBit authentication service before you can call any other endpoints on the API. You will need to redirect your app to Safari and go to the fitbit authentication service so that the user can log in and authorise your apps access to their FitBit data. The callback will then return an OAuth token that you can pass in subsequent requests.
You will need to call something like this:
https://www.fitbit.com/oauth2/authorize?response_type=code&client_id=%#&scope=%#&redirect_uri=%#"
This is the official fitbit documentation for Authorisation:
https://dev.fitbit.com/build/reference/web-api/oauth2/
I believe I am missing something with the implicit grant process and access tokens in aws cognito.
To this point:
Have a user pool, with a client app configured for implicit flow and scopes openid, profile, aws.cognito.signin.user.admin
Used a stack overview and the official documentation and older white papers to achieve:
Login process that redirects to aws cognito UI, and back to my app, with tokens and other information in the fragment portion of the URL.
The access_token value parses at jwt.io and signature checks out using the aws jwt tool
Problem:
The recommended step is to "verify that the access token belongs to us" through the tokeninfo api call.
When I attempt to call tokeninfo via javascript code and testing via postman (using: https://api.amazon.com/auth/o2/tokeninfo?access_token=eyJraWQiOiJoVFBa... )
I get the result:
{
"error_description": "The request has an invalid parameter : access_token",
"error": "invalid_token"
}
and an http header:
x-amzn-errortype: InvalidTokenException:http://internal.amazon.com/coral/com.amazon.panda/
Variants I have tried:
I have tried calls directly to the user profile (using Authorization header, and query string and x-amz-access-token header).
I have tried adjust parameter names (error becomes "access_token required" or something like that
I have tried adjusting scopes in the user pool
I have tried adding resource servers (though I am not there yet...)
The redirect after login looks like this:
https://staging.example.com/loginresult.html#id_token=eyJraWQiO<tokenremoved>&access_token=eyJraWQiOiJoVFBa<tokenremoved>&expires_in=3600&token_type=Bearer&state=whateverdevwants
The parsed values of the token (through jwt.io) are:
{
"sub": "5510a27d-ebcb-4883-8680-a66fd0462279",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin openid profile",
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_OF5OOfdx0",
"exp": 1519352461,
"iat": 1519348861,
"version": 2,
"jti": "31950a91-e2a5-4060-8c31-977f49802d35",
"client_id": "3iuhnprmod0josge24ogarecfp",
"username": "5510a27d-ebcb-4883-8680-a66fd0462279"
}
Update: As answered below: just don't do this, it is conflating jwt tokens from cognito with whatever "Login With Amazon" was using.
In the example you refer to from Amazon they encode the access token using urllib.quote_plus for example in their PHP example.
Make sure you are URL encoding the access token too in your javascript code with encodeURI.
Also an error may be returned if the token has expired so make sure you verify a newly-minted token. Expiry is 3600 seconds - so make sure the token is less than an hour old.
EDIT
Looks like the documentation for Cognito is very different from the LWA (login with amazon) auth flow. The tokens in the examples you linked to aren't even JWT tokens!
The Cognito documentation here explains how to verify the JWT token.
Checkout the Using ID Tokens and Access Tokens in your Web APIs paragraph.
Trying to test auth in the Web Simulator using the OAuth2 Authorization Code Flow, https://developers.google.com/actions/tools/web-simulator
See: https://developers.google.com/actions/tools/testing#testing_account_linking_with_google_home_web_simulator
And:
https://developers.google.com/actions/develop/identity/oauth2-code-flow
Provided you've setup your Action to require authorization against your authorization service, when you try to access your Action the Assistant advises you that you need to Link your account.
In the same response the simulator provides a URL for initiating the linking process, see:
"debugInfo": {
"sharedDebugInfo": [
{
"name": "Account Linking Url",
"debugInfo": "https://assistant.google.com/services/auth/handoffs/auth/start?provider=your-google-project-id_dev&scopes=your-scopes&return_url=https://www.google.com/"
}
]
}
Calling this URL (paste into a browser) will take you through an OAuth2 flow, assuming the user actions required are successful Google will call your token endpoint with the authorization code provided during the flow.
But then I was getting:
result_code=FAILURE&result_message=Account+linking+failed
It all appeared to be working from my side but Google was returning a FAILURE.
In my case, my token endpoint was returning my standard token response object, which included an access_token, a refresh_token, an expires_in, a session_state and another token that wasn't needed for this purpose but was standard to my token response.
And when I tested this same response on Googles playground it was fine:
https://developers.google.com/oauthplayground/
But not so when using the Assistant URL:
https://assistant.google.com/services/auth/handoffs/auth/start?provider=your-google-project-id_dev&scopes=your-scopes&return_url=https://www.google.com/
The reason it turns out is that the Assistant does not like superfluous properties in the response object.
I have yet to fully establish what is and isn't allowed but so far you can have:
{
"token_type": "Bearer",
"access_token: "xxx",
"refresh_token": "yyy",
"expires_in": "zzz"
}
With these I now get:
result_code=SUCCESS