I was trying to build a market place application with admin-sdk.
Reading the docs, it looks like two legged authentication is the only way to go as far as market place apps are concerned.
Wanted to check if the current user is an admin so for that, I wanted to use
https://www.googleapis.com/admin/directory/v1/users/(useremail)?xoauth_requestor_id=(admin-email)
I was trying both to be the same and to be that of the admin
The Authorization header is also as follows.
OAuth realm="", oauth_signature_method="HMAC-SHA1",
oauth_version="1.0", oauth_consumer_key="<key from market place>",
oauth_nonce="4473365854789985180", oauth_timestamp="1380453874",
scope="https://www.googleapis.com/auth/admin.directory.user",
oauth_signature="yEcbWIp5f1nNFaUI8vSxn1NYlzw="
When this request is made to the url I am getting error saying.
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
I looked for apis to get it done but could not find for two legged with admin-sdk. Could someone please help me tackle the problem ?
Also can such a feature be done by using service accounts ?
I also wanted to, in the end have the admin-sdk to be used golang in the end.
Marketplace still uses OAuth 1.0. So I don't think you can really use service account as it is really for OAuth 2.0.
Have you checked out these two documents?
https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
Anyway, you want to make sure you are using the clientID and client secret that has Admin SDK enabled you generated from API console. Additionally, have you also had the clientID enabled with the Admin SDK scope in Manage Third Party OAuth in Admin console?
I was able to make the following call with no problems:
https://www.googleapis.com/admin/directory/v1/users/user#domain.com?xoauth_requestor_id=admin#domain.com&key=APIkey_from_API_console
Related
I am setting up the DocuSign rest connector in power apps. I have other API's that working well this same way.
I want to get this setup to sweep completed files on a scheduled.
I started by going through this tutorial and tried the same setup. But when I try to test the connector I don't get prompted for credentials. We use SSO - so the window comes up and goes away without an error message.
https://www.docusign.com.au/blog/get-the-flow-sending-docusign-envelopes-microsoft-power-automate
I then tried to create a connection in in power automate Data/Connections and get an error message after entering my dev credentials. The clientid (integration key) and the secret match.
OAuth2 authorization flow failed for service 'Generic Oauth 2'. OAuth 2 sign in failed to exchange code for access token. Client ID and secret sent in form body.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" } Client ID and secret sent in Basic authorization header.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" }
The setup looks correct. It seems like a reference problem = like the production account and the developer account are not in sync or something. I have the same email address for both production and developer accounts and we use SSO - maybe its trying to reference production and not the developer account when its logging in? Just guessing.
I have a ticket with them, but they have note been able to help so far and they are on AEST time and I won't be able to get a response back from them for another couple of days :(
(I tried using the DocuSign Git repo API to create the connection as well - same problem)
Anyone have problems like this or know a solution? Anything else I can look at. This seems all straight forward -standard OAuth setup.
Using this setup like in the article for the demo (dev) account.
DEMO:
IKey: Integration Key [captured earlier]
Secret Key: Secret Key [captured earlier]
Authorization URL (DEMO): https://account-d.docusign.com/oauth/auth
Token URL (DEMO): https://account-d.docusign.com/oauth/token
Refresh URL (DEMO): https://account-d.docusign.com/oauth/token
Scope: signature extended
This will connect to a single DocuSign user (like a "service account"). It will not prompt each user for their credentials. You will need 1 generic user setup within your DocuSign account, without SSO (you can setup an exception user in DocuSign admin. This is best practice when setting up SSO as a fallback in case SSO fails to login as well).
The envelope will be sent from that generic user, not the actual user. This is common practice with some "system level" integrations.
Also, are you connecting a DocuSign "demo" or production account?
I ask because there's two connectors for power automate - "DocuSign" (for production) and "Docusign Demo" (for demo). I would recommend doing it all in demo first, as the "client id" (aka "integration key") needs to go through a go-live process to be promoted from demo to prod (see the link in the guide).
I am trying to issue a POST request towards the google calendar api, but I fail to understand how to authenticate it.
I took the following steps to try and use a service account to do so:
I've enabled the the calendar api in the Google Cloud console
I've created a new service account, enabled G Suite Domain-wide Delegation, and downloaded the provided key.
I've added the service account email to the calendar to be able to make changes and create events.
I've tried to create a POST request to https://www.googleapis.com/calendar/v3/calendars/calendarId/events with the contents of the JSON key as the value of the Authorization header, but I receive the following error:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Am I missing some steps or have I do not understand correctly the authentication process?
I would appreciate your help.
Its not simply a matter of applying the contents of the key file to your call, all google apis need an access token in order to authenticate them.
To get an access token from a service account you need to follow the following steps. Preparing to make an authorized API call
There are steps you will need to complete inorder to get the access token you will need to make a call to the api
After you obtain the client ID and private key from the API Console, your application needs to complete the following steps:
Create a JSON Web Token (JWT, pronounced, "jot") which includes a header, a claim set, and a signature.
Request an access token from the Google OAuth 2.0 Authorization Server.
Handle the JSON response that the Authorization Server returns.
I recommend you pick your favorite server sided programming language and find a client library for it. It will make things much easier then you trying to authncate using a service account by yourself.
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.
A number of our users authenticate through the Google OAuth API (https://developers.google.com/+/web/api/rest/oauth)
What is the future of the Google's version OAuth API beyond the April 2019?
OAuth aside, we use the following endpoint to obtain the user's email and name: https://www.googleapis.com/plus/v1/people/me once we obtain the access token. Is this endpoint becoming obsolete?
Update 12/21/18
Google+ Shutdown Notice
[End Update]
OAuth 2.0 is a service provided by Google Accounts. The end of life for Google+ will not affect OAuth 2.0.
OAuth 2.0 is the foundation authentication service for Google Cloud Platform, G Suite and many other services. OAuth 2.0 is token based, and these tokens can be used on a variety of services, both Google based and third party.
A further question was asked below in the comment section about endpoints.
The Google+ endpoint for user information: googleapis.com/plus/v1/people/me will probably continue to exist for years (awaiting official announcement from Google).
I would start using the Google OAuth 2.0 endpoint (notice the alt=json): https://www.googleapis.com/oauth2/v3/userinfo?alt=json
Which returns Json that looks like this:
{
"id": "123456789012345678901",
"email": "username#example.com",
"verified_email": true,
"name": "User Name",
"given_name": "User",
"family_name": "Name",
"link": "https://plus.google.com/123456789012345678901",
"picture": "https://lh3.googleusercontent.com/.../mo/photo.jpg",
"locale": "en",
"hd": "example.com"
}
The current list of Google OAuth 2.0 endpoints:
https://accounts.google.com/.well-known/openid-configuration
What is the future of OAuth API beyond the April 2019?
Oauth is not an api it is a protocol for authentication. In this instance the authentication response is used to access googles APIs. Googles use of Oauth2 for authentication is not going any where there has been no announcement that it is being discontinued in any way. Nor do i think they would as to my knowledge it is current industry standard for authenticating to APIs
OAuth aside, we use the following endpoint to obtain the user's email and name: https://www.googleapis.com/plus/v1/people/me once we obtain the access token. Is this endpoint
The Google people api may contain the term plus in the url but it does not really have anything to do with Google plus (other than really bad naming).
[Documentation] The People api lets you list and manage the authenticated user's Contacts and retrieve profile information for authenticated users and their contacts.
Which actually has nothing to do with Google plus other than the fact that some of the users profile information may have originally been contained within Google plus which has now been moved i suspect (but i have no proof of that). I did send off an email to google asking for some clarification as to exactly which endpoints are shutting down.
Shutdown
So what is going to happen with the shutdown
Google+ will stop working
plus.activites will stop working.
plus.comments will stop working
What will happen to people overview will be a really good question. They may be renamed however i suspect they may just be left alone to access the google contacts as they do currently. (again i have no proff of this)
Get current user info
If you want to get the information about the current user then an idea would be to use the userinfo endpoint. As long as you requested the profile scope you can request the current users info from the identity server directly
Request:
GET /oauth2/v2/userinfo HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer qMgWQHD0MstTDVip7hIYipUpSQkxexF4-W0bI3geEaYk0ztVryYZyFRrZDFWkn69Hw3RlBjfOuXJ8df_iv5ATgW3y0BUkI0xMXeGq22qmfqG-4duSU
Response:
{
"picture": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg",
"name": "Linda Lawton",
"family_name": "Lawton",
"locale": "en",
"gender": "female",
"link": "https://plus.google.com/+LindaLawton",
"given_name": "Linda",
"id": "117200475532672775346"
}
I suspect that some of this is going to change. Link for example is not going to be able to link to google plus anymore. I think i will send off an email to google to see what they intend to do about that.
Email will only appear in the response if you have also requested email scope when authenticating the user.
update
blog post on api shutdown just went out and gives information on what APIs are being shut down and when.
The most commonly used APIs that are being shut down include:
Google+ REST API
Google+ Web API
Google+ Android SDK
Google+ Domains API
Google+ Pages API
This still doesn't clear up the issue with the people API being Google contacts yet part of the Google+ rest API
https://developers.googleblog.com/2018/12/google-apis-shutting-down-march-7-2019.html?m=1
In order to disable this Google + API from your apps, you need to go to https://console.developers.google.com
... and navigate to each project you are using Google+ Api and click DISABLE
This will remove any requests from Google + API.
We are using the YouTube Data API to get the YouTube channel information, it was working before two days now it is giving me below error:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
}
Is there any new update on YouTube Data API?
Can anyone help me to resolve this issue?
In order to access any Google API you need to identify your application. This rule has not been enforced on all Google APIs. If you say your request has worked in the past I suspect that they have begun to enforce this now with the YouTube API.
The problem is that you have either not authenticate your application using Oauth2 or you are not sending an API key along with this request.
You need a Google Account to access the Google Developers Console, request an API key, and register your application.
Create a project in the Google Developers Console and obtain authorization credentials so your application can submit API requests.
After creating your project, make sure the YouTube Data API is one of the services that your application is registered to use:
a. Go to the Developers Console and select the project that you just registered.
b. Open the API Library in the Google Developers Console. If prompted, select a project or create a new one. In the list of APIs, make sure the status is ON for the YouTube Data API v3.
If your application will use any API methods that require user authorization, read the authentication guide to learn how to implement OAuth 2.0 authorization.
see Getting started
I was getting the same error. The mistake I was making is not setting the API Key value while requesting. Please set the API Key attribute.
If you are using youtube data v3 api use following code snippet.
playlistItemsListByPlaylistIdRequest.setKey(YOUR_API_KEY_VALUE);
If you are using the Html request, then use following format :
https://www.googleapis.com/youtube/v3/playlistItems?part=snippet%2CcontentDetails&maxResults=8&playlistId={PLAYLIST_ID}&key={YOUR_API_KEY}