I have OAuth login in my app. After that I have access_token.
I check token in google token info service:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<access_token>
And It returns:
{
"issued_to": "554651647288-tquejcu6mctplq4kin5dd9r81mtkg3vv.apps.googleusercontent.com",
"audience": "554651647288-tquejcu6mctplq4kin5dd9r81mtkg3vv.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.orgunit https://www.googleapis.com/auth/admin.directory.user",
"expires_in": 3299,
"access_type": "online"
}
As you can see I have admin user directory permission.
Then I send GET request for getting information about user
curl -X GET https://www.googleapis.com/admin/directory/v1/users/test_user#test.com?access_token=<access_token>
And google returned me right user information. After that I decided to get list of users.
curl -X GET https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&access_token=<access_token>
And google returned me:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
But I don't understand why google returned me so error.
Could you please help me with this problem?
Thanks.
There are two solutions here.
1.This is the simple one. Put the URL params in quotes. This should do the trick - (fake access token used)
curl "https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&access_token=asdf.AHEasdfyIc9vuPQ_BGONpzEJkasdfWYXGujPw5iPI"
You don't need to pass in -X GET as that is the default.
2.In general it is bad practice to send the access_token in the URL as this URL may get logged somewhere along the way for innocuous reasons. You can also do this through HTTP Header of Authorization -
curl -H "Authorization: Bearer asdf.AHEasdfyIc9vuPQ_BGONpzEJkasdfWYXGujPw5iPI" https://www.googleapis.com/admin/directory/v1/users?customer=my_customer
Related
I'm trying to to a request to the Google Calendar API using Postman. Following this Google documentation:
https://developers.google.com/calendar/v3/reference/?apix=true
I'm doing a:
GET https://www.googleapis.com/calendar/v3/calendars/{my_calendar_id_here}
On the Postman Authorization tab i'm specifying that i want to use OAuth 2.0 and i also put my access token (which i use to make Calendar API calls from code, works fine). However, Postman responds with the following body:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
I really don't understand what i'm doing wrong, and other answers don't seem to target my particular scenario. I'd be grateful if someone could point out what am i doing wrong.
I would recommend replicating the request in Google's OAuth 2.0 Playground. Then using the confirmed to be working access token to troubleshoot Postman.
For Postman you could also pass the access token as a request header and if that resolves the issue.
Postman Headers Tab Input:
| Key | Value |
|---------------|-----------------------|
| Authorization | Bearer {access_token} |
I'm trying to request the "List privilegedRoles" resource using an app created in Azure's Active Directory.
I've given it all the Application permissions AND Delegated permissions in the Graph API app, to no avail.
The response is always:
"error": {
"code": "UnknownError",
"message": "{\"message\":\"An error has occurred.\"}",
"innerError": {
"request-id": "3e1bb5cf-2d2e-402f-8648-27193b28510a",
"date": "2018-06-06T14:26:02"
}
}
Any help would be much appreciated
UPDATE 1:
A full reproduction of the issue -
A V2 app with delegated permission "Directory.AccessAsUser.All" (and no application permissions), redirect url of http://localhost/myapp/permissions
step 1: admin consent
open browser at:
https://login.microsoftonline.com/MY-TENANT-ID/adminconsent?client_id=MY_APP_ID&state=12345&redirect_uri=http://localhost/myapp/permissions
and grant consent by an admin to the requested permission(s)
see successful redirect to:
http://localhost/myapp/permissions?admin_consent=True&tenant=MY_TENANT_ID&state=12345
step 2: get token
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=MY_APP_ID&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=MY-APP-SECRET&grant_type=client_credentials' 'https://login.microsoftonline.com/MY_TENANT_ID/oauth2/v2.0/token'
get reply like:
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 0,
"access_token": "SOME-VERY-LONG-TOKEN"
}
step 3: attempt to get the resource
curl -X GET -H "Authorization: Bearer SOME-VERY-LONG-TOKEN" 'https://graph.microsoft.com/beta/privilegedRoles'
ERROR:
{
"error": {
"code": "UnknownError",
"message": "{\"message\":\"An error has occurred.\"}",
"innerError": {
"request-id": "cc9c950c-369c-4fb5-8ec4-eb4048e32a5d",
"date": "2018-06-10T09:09:57"
}
}
}
You can only use delegated permission for calling MSGraph PIM Api's.
Basically, you will need to do the following setup:
Create a native AAD application
Grant it Read and write privileged access to Azure AD permission and make sure the admin consents to it
Call MSGraph PIM Api's using this app with delegated token.
For more details, see https://blogs.msdn.microsoft.com/anujchaudhary/2018/06/07/powershell-sample-for-privileged-identity-management-pim-for-azure-ad-roles/
I'm trying to POST to a Auth0 delegation URL to obtain an access token and getting a "Grant Type not allowed" error as seen below. (This is when not using Postman.)
I came across a post in the forums that Delegation is deprecate in Auth0. Can anyone confirm if that is the issue here and if I'm trying something that's not available anymore?
Request:
Content-Type: 'application/json'
{
"client_id": "ID",
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"id_token": "TOKEN",
"target": "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
"api_type": "salesforce_api",
"scope": "openid"
}
Error:
{
"error": "unauthorized_client",
"error_description": "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token' not allowed for the client.",
"statusCode": 403,
"error_uri": "https://auth0.com/docs/clients/client-grant-types"
}
Related Question:
"Missing grant-type parameter" in Auth0 Delegation endpoint call
In that question, using Postman to call the endpoint with the same request results in a different error!
I am struggling to get oauth2 working between postman and the Google Apps Admin Sdk. I have created a client app in the google console and set the Authorized redirect URIs to https://www.getpostman.com/oauth2/callback and my settings in postman are as follows
Auth URL - https://accounts.google.com/o/oauth2/v2/auth
Access Token URL - https://www.googleapis.com/oauth2/v4/token
Client Id - some id here
Client Secrent - some secret here
Scope - https://www.googleapis.com/auth/admin.directory.user.readonly
Token Name - Google
Grant Type - Authorization Code
Request Access Token Locally - Checked
This returns a token - xyz - after logging in.
I do a GET request with the token in the url
https://www.googleapis.com/admin/directory/v1/users?key=xyz
The error I am getting is below
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
From what I have read this should work. Where else do I have to login? What am I doing wrong?
After playing around I figured out my url was incorrect. Changing key to access_token did the trick.
Just a side note, ensure you specify the domain or customer parameter otherwise you will receive a bad request error.
I am trying to create a broadcast using YouTube's v3 API. My request looks like this:
curl -H "Authorization: Bearer ******************" -H "Content-type: application/json" -d " {\"snippet\":{\"title\":\"Hello\", \"scheduledStartTime\":\"2014-01-30T00:00:00.000Z\", \"scheduledEndTime\":\"2014-01-31T00:00:00.000Z\"},\"status\":{\"privacyStatus\":\"public\"}}" https://www.googleapis.com/youtube/v3/liveBroadcasts?part=snippet,status
But the response I get from google is this:
{
"error": {
"errors": [
{
"domain": "youtube.liveBroadcast",
"reason": "liveBroadcastForbidden",
"message": "Request is not authorized"
}
],
"code": 403,
"message": "Request is not authorized"
}
}
I can confirm that the access token I am passing is correct.
Is there something I am doing wrong here?
Livestreaming API is only available to partners right now. It will be more widely available later.
If you have gotten the granted access, you should enable YouTube APIs from API Console. It looks like you haven't enabled them.