I'm writing an internal app that uses the Slack python client. I'm authenticating via a bot user and trying to call the users.lookupByEmail() method to get Slack info for a particular user:
sc = SlackClient(SLACK_TOKEN)
user = sc.api_call(method='users.lookupByEmail', email=email)
However I get back the following:
'{"ok":false,"error":"missing_scope","needed":"users:read.email","provided":"identify,read,post,client,apps"}'
According to the API documentation (https://api.slack.com/methods/users.lookupByEmail), bot users should have access to this method. So I'm guessing my bot does not have the users:read.email scope. Is there anyway to add that? As a workaround I'm calling the users.list() method and just iterating through that but that's very inefficient with the hundreds of users we have.
Yes, you need the users:read.email scope.
Just re-authenticate your Slack app and include that scope and it should work.
However, if you used a bot custom integration you do not have the ability to add more scopes. I then recommend to create a Slack app instead, which you can do on this page by clicking on "Create a Slack app".
Keep in mind that Slack apps need to be installed to your workspace to work. You can do that from the configuration page of your app.
You can add scopes (permissions) in the Slack application admin pages. Under Basic Information,
Go to Add features & functionality and choose the Permissions subsection.
On the OAuth & Permissions page, scroll down to Scopes -> Permission Scopes
In the "Add permission by scope or API method..." dropdown, scroll to "View email addresses of people on this workspace" and select users:read.email
Related
I am trying to understand the basic logics for receiving GMail emails with Google OAuth. I see this document Authorizing Your App with Gmail
Now I follow the instructions in Setting Up POP3 Importing with OAuth via Google to setup POP3 with Google OAuth.
I login one Google account(Account1) and then in Google Cloud, create the Google App and OAuth Client ID.
Then I start connect to GMail account(Account2) with the web application(WHMCS). When connecting, it asks me to choose an account that create the app, so I choose Account1. But get the following error:
Error 403: access_denied
The developer hasn’t given you access to this app.
Thus I am a bit confused. Since Account1 is used to create the app and OAuth Client ID, it should be able to access the app when I choose Account1, but the app will not be able to access the data in Account2. Or does the App in the error message means Gmail, not the app I created in Google Cloud?
Should I use Account2 to create the app for receiving emails in Account2? If yes, then for each Gmail account, should I create a separate app accordingly?
Update
Now I try to do as follows:
Use Account3(The admin of Google Workspace) to create the Cloud Project, Consent Window, Client ID, etc.
Then when connecting from WHMCS on our domain datanumen.com, it asks me to choose the account, I choose Account3, and then see a new window as below:
I then select "Allow" button, but then see the following error:
Connection unsuccessful. Please close this window and try again.
Update
I try several times. And find the first time will be successful. I forget enable POP3 in my Gmail account. After enabling it, everything is fine.
I am a bit confused as to what you are trying to do here.
You created a project on Google cloud console and created client id and client secret for the authorization of your project.
All this does is create a project that will be allowed to use Oauth2 to request authorization of a user to access their data.
If I understand what WHMCS is trying to do. Its going to let you use your client id and client secret to request access of a user to access their data.
So when it asks you to authorize a user this is the user whos data you want access to. That user must be added as a test user over on Google cloud console for the project that you created.
The project you create on google cloud console is still in the testing phase. Each user you want to allow to test your application must be added as a test user. Other wise only the owner of the project can test the applicaiton.
To fix this issue for me was this simple:
Go to https://console.developers.google.com/
open the project in question.
Click "OAuth consent screen" on the left.
Under "Test users" there is a button called "+ ADD USERS"
Type the email of the account you will be testing with, press enter, then click save.
It should work now
It seems like they updated this recently because last year I did not have to do this.
workspace
The issue you may be having is that if you created this project on a workspace account then i suspect only workspace domain users are going to be able to authorize it. It cant be authorized by someone on the standard google domain. So try with a workspace domain user. The same may go the other way I have never tried tbh. I tend to keep workspace within its domain.
I have an iOS app that I'd like to restrict access to, making it only available to users from a specific email domain.
The app requires the users to log in using their Google Account.
I've found various answers online that suggested adding
".read": "auth.token.email.endsWith('gmail.com')"
But that doesn't seem to return an error in the sign in page, but only when the user in question tries to access the database. Any suggestions?
You will have to enforce that. You have multiple tools to do so:
After signInWithCredential resolves, you can check the domain and that it is a google.com provider. If you are allowing email/password users, you need to verify those too. If the user doesn't meet your criteria, use the delete API on the user and issue an error to the user that they need to sign in with a certain account.
Enforce the check in your rules, as you can't always trust the client. Ensure that if a user signs up, and isn't deleted, he/she can't access the data.
Use Firebase functions which has a trigger for user creation. On user creation, check your criteria is met, if not, use the firebase-admin module to delete that user.
If you are using the Google sign-in library for iOS to get the Google credential, you can check the Google user email and Google ID token before you signInWithCredential in Firebase and block the sign in attempt.
Write your own clean up script: If you are hosting your own server and do not want to use Firebase Functions, you can run a daily script that downloads all your users using the Firebase CLI SDK and then deletes all users using firebase-admin SDK that do no match your criteria.
Since the required email domain is #gmail.com, you could just disable the email and password and enable the Google sign in method in your Firebase console. So, the only way a user can sign in on your app is with a Google account.
https://firebase.google.com/docs/auth/ios/google-signin
Include the email and password sign up option and just check for domains within your app. This will be a simple string comparison test on the email address.
Or just spin up a server to which you'll be sending the emails to for verification. This way you wouldn't have to push out new updates every time you add an extra domain. You can try and see if cloud functions would be helpful instead of spinning up a new server.
I was told by one of the engineers at Microsoft that in order to display the jobtitle field, using users method in REST, I need an admin permission. I would appreciate if someone can answer exactly what steps the domain administrator needs to take in order to give user.read.all permission to all users in the domain that will run the graph query. I would appreciate if anyone can provide detailed step by step instruction.
For user.read.all, you will need to get administrative consent from the organization before a regular user can sign-in to your application.
To do this, you'll first need to have them go through the “Admin Consent” workflow. This workflow requires an administrator but once complete any users of your application will have “admin consent” to the restricted scope.
For example, you would normally you would then authenticate users by redirecting them to
https://login.microsoftonline.com/common/oauth2/authorize?<your params>.
Since this scope requires an Admin however, you fist need to obtain consent by first having an Admin authenticate by redirecting them to
https://login.microsoftonline.com/common/adminconsent?<yours params>.
Once an Admin grants consent, normal users will be able to use OAUTH to authenticate.
Dan's link took care of the problem.
In the link the below sample link was the answer. Instead of the word "common", I have replaced it with the tenant ID as shown below:
https://login.microsoftonline.com/{tenant id from azure ad}/adminconsent?
client_id={application client id}
&state={can be anything. I used the same as the redirect url}
&redirect_uri={URL that exactly appears in the app application portal}
Objective -C / iOS
I will use follow api of instagram .
set URL :https://api.instagram.com/v1/users/{userid}/relationship?access_token={access_token}
parameter string is "action=follow" ,and data sending way of post
But , it doesn't works. I received error.
meta = {
code = 400;
"error_message" = "This request requires scope=relationships, but this access token is not authorized with this scope. The user must re-authorize your application with scope=relationships to be granted write permissions.";
"error_type" = OAuthPermissionsException;
};
When i use login api of instagram , scope = relationships+likes ... data sended
How to use instagram follow api in iOS.
Instagram changed its API guidelines since mid April, 2015.
https://help.instagram.com/contact/185819881608116
The OAuth 2.0 specification allows you to specify the scope of the access you are requesting from the user. All apps have basic read access by default, but if you plan on asking for extended access such as liking, commenting, or managing friendships, you need to specify these scopes in your authorization request. Note that in order to use these extended permissions, first you need to submit your app for review. For more information on how to submit your app for review, please check out the documentation of the endpoint that you plan to use.
Hence you need to get your app reviewed by instagram first to use these extended permissions such as Likes, Comments and Relationships.
As stated in the error that you're getting, you need to have a certain permission for you to be able to perform a "follow" action. You can't just follow another account on a user's behalf without getting the proper permission first in the authentication process.
When calling the authorize api you can add a parameter called scope which specifies the permission level that your app is requesting. For example: scope=basic+relationships will allow you to read all basic user data and also follow and unfollow accounts on a user’s behalf.
This is a post request. To make post request to InstagramAPI you need to submit your application details and company details to Instagram for review. Maybe other relationship endpoints will work fine without submitting your app. Even though you are adding scope as scope=likes+relationships+comments, instagram will give you basic permissions only. For more details visit the following link https://instagram.com/developer/endpoints/relationships/#post_relationship
How can I use the AWeber API to automatically check whether an email address exists on a given user's list? The AWeber paradigm is baffling to me and their docs are poor. Essentially, what you get is the ability to put the AWeber login form on your site (just like this one: https://www.aweber.com/login.htm), so ANY AWeber user could use my site to log into their AWeber account and view their subscriber and list data. This is useless.
The API keys are moot: they simply establish that yes, I am a developer and yes, I have registered my app. The API keys have nothing to do with USER data.
This is not at all how MailChimp handles logins: each user can download their own API keys and use them to authenticate and then programmatically retrieve the subscriber data from their lists.
What I need to do is to create a "Members' Area" on my website, and in order for visitors to see the content in the members-only content, they must join my list. It's a simplified login form that would ask only for the email address (no password is necessary). But I cannot see how to do this with AWeber's convoluted oAuth restrictions. The only way I can currently check email addresses is by logging into my own form (the local copy of the https://www.aweber.com/login.htm form) and then checking the email address. That won't work programmatically. If I can't automatically access subscriber data, then what's the point of the API?
How can I automate authentication so my application can retrieve subscriber information from my user's lists without me having to log in?
The consumer keys identify your application, the access keys are what give the application access to an account, both are needed to make requests to the API.
There is a php quickstart for accessing an aweber accounts' subscriber data. http://engineering.aweber.com/quick-start-api-script-in-php/
Once you have the access keys generated, you must store them for future requests.