I am trying to get an access token for google OAuth with scope https://www.googleapis.com/auth/playdeveloperreporting.
But it's shows an errors like "Some requested scopes cannot be shown: [https://www.googleapis.com/auth/playdeveloperreporting].", Error 400: invalid_scope.
In my OAuth consent screen. I added scope. check the blow image.
In Google scope list - https://developers.google.com/identity/protocols/oauth2/scopes
Missing this scope https://www.googleapis.com/auth/playdeveloperreporting.
How can I get an access token with the scop https://www.googleapis.com/auth/playdeveloperreporting?
Thanks.
Related
I have an app that uses the Google Calendar API and I seem to have a corrupt/defunct access token and/or refresh token which is resulting in the following error:
Signet::AuthorizationError
Authorization failed. Server message: { "error": "invalid_grant", "error_description": "Bad Request" }
Code for the authorization:
client_id = Google::Auth::ClientId.new(CLIENT_ID, CLIENT_SECRET)
token_store = EncryptingTokenStore.new(TokenStore.new)
scope = "https://www.googleapis.com/auth/calendar"
authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store, callback_url)
authorizer.get_credentials(CALENDAR_ID)
On investigation the UserRefreshCredentials we get back from authorizer object has an expires_at date in the past (11/01/2021).
I deleted the offending refresh token that we have stored, revoked access via the google account settings, then reauthenticated the user account with the app to reapprove offline access to Google Calendar again. This did not give me a new access and refresh token as expected. The expires_at is still 11/01/2021. We have valid refresh tokens in storage but for some reason Google is still picking up the old details despite that refresh token no longer existing. So I need to find a way to refresh or overwrite the UserRefreshCredentials that the Google API is using.
Other steps I have tried:
I tried to refresh the token from within a production console with some methods that come with the ruby google client gem but this fails with the same invalid_grant/Bad request error that is at the root of this issue.
I also tried to refresh the token with a POST request to the oauth2 endpoint:
https://oauth2.googleapis.com/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&grant_type=refresh_token
but this also fails with the same invalid_grant/Bad request error.
If anyone can shed any light that would be much appreciated.
I've followed the tutorial code linked here:
https://learn.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/authentication/azure-ad-b2c
But when signing up (which isn't covered in detail in above link), the AuthenticationResult returns a null access_token. Is there perhaps a b2C setting that I'm missing?
You need to represent a resource to obtain an access token for using app registrations
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-desktop-app-webapi?tabs=app-reg-ga
You need to ask for a scope in the MSAL code to get an access token for a specific resource:
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/blob/master/README.md
So I'm trying to use the Home Graph API by calling the API endpoint
https://homegraph.googleapis.com/v1/devices:requestSync
It is a HTTP POST request and it needs an ACCESS_TOKEN and service account key.
Getting the service account key is easily done as per Google's documentation. The issue is getting the ACCESS_TOKEN.
As per this documentation by Google, I need to get ACCESS_TOKEN created using the following scope of permissions
https://www.googleapis.com/auth/homegraph
I opened OAuth 2.0 Playground to request a developer temporary ACCESS_TOKEN for testing. I wrote all the necessary urls and in scope I wrote this-
scope is written to be authorized
Now after this, I am navigated to my Authorization URL (ie, Google's sign in page). I login with email id and password.
If credentials are correct and scope mentioned is valid then I should have been redirected to OAuth playground page with authorization code which I would have exchanged for access token and refresh token.
But, what actually happens is after I enter my credentials, I get following error and I am never redirected to Oauth Playground page-
Authorization Error
Error 400: invalid_scope
Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]
Request Details
access_type=offline
o2v=2
response_type=code
redirect_uri=https://developers.google.com/oauthplayground
prompt=consent
client_id=xxxxxxxxx.apps.googleusercontent.com
scope=https://www.googleapis.com/auth/homegraph**
I searched a lot online too, but couldn't find the actual reason.
So due to this issue with scope, I am not able to get ACCESS_TOKEN.
I have followed Google's documentation and the scope was mentioned there.
This is the pic from oauth 2.0 playground settings- OAuth 2.0 configuration
The issue is that you, a user, should not be getting and sending an access token. The service account should be getting and sending an access token. This is to make sure your service is authorized to talk to the Home Graph API.
You indicated you logged into the OAuth playground with "userid and password". But service accounts don't have passwords.
If you are using one of Google's libraries, it will take care of getting the access token for you, and this is the easiest way to do so. If you are just testing and need an access token, you can use something like oauth2l to get the access token based on the service account credentials.
I had implemented the REST approach to call HomeGraph Report State as below.
We need to follow the below steps:
Create a service account for your project and safely store the json file
Using the service account JSON, get the access token from Google
Using Oauth 2.0 token as Bearer authorization, invoke Report State API
Step 1:
This is straightforward. Please follow the steps in the below link
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
Step 2:
Refer below code to get the Access token using service account json
GoogleCredentials credentials = GoogleCredentials
.fromStream(Helper.class.getClassLoader().getResourceAsStream("smart-home-key.json"))
.createScoped("https://www.googleapis.com/auth/homegraph");
credentials.refreshIfExpired();
AccessToken token = credentials.getAccessToken();
return token.getTokenValue();
Step 3:
Invoke Report State API
curl -X POST -H "Authorization: Bearer [[Access token from Step 2]]"
-H "Content-Type: application/json"
-d #request-body.json
"https://homegraph.googleapis.com/v1/devices:reportStateAndNotification"
Reference Links :
https://developers.google.com/assistant/smarthome/develop/report-state#http-post
https://cloud.google.com/endpoints/docs/openapi/service-account-authentication
https://developers.google.com/identity/protocols/oauth2/service-account#httprest_1
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
I am trying to get the User account information for which I am trying to Test using Slack Tester.
api.slack.com/methods/users.profile.get/test
when I give my Token and click on Test I am getting the error below:
{
"OK": false,
"error": "missing_scope",
"needed": "users.profile:read",
"provided": "identify,bot,incoming-webhook"
}
Your token is missing the required scopes.
As the error message says you need the scope users.profile:read to run the API method users.profile.get.
To get a token with the needed scope you need to add the scope to your Slack app and reinstall into the workspace.
Also this API method will not work with bot tokens. You need to provide a user token aka Oauth Access Token.
I have a Google App Engine endpoints projects which is protected by Oauth2. I saw some request has failed due to Invalid token.
Request URL: https://example.appspot.com/_ah/api/mm/v1/list?filter=q%3Dtest&alt=json
Method: example.resource.list
Error Code: 401
Reason: required
Message: Invalid token.
I could log out the token from the HEADER of the request.
The token I get is access token, format like, ya29.vwGg-....
When I tried with
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=
to find out token information, like issue_to, client_id, extra.
It returns back with
{
error: "invalid_token",
error_description: "Invalid Value"
}
I have tested with
https://developers.google.com/oauthplayground
the url returns back the same error if the token has been expired.
My guess for the reason my request has failed is the token used has expired.
But not 100% sure.
Is there way to find token info about expired access token?
Or maybe more widely,
is there any way to find more info about invalid access token, like why it is invalid or anything else?
I remove google account and add google account, then login works.
Google's guide for Google Sign-In for Android on how to Authenticate with a backend server.
A simple way is to check the token, XYZ123 is your token
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
There are many ways to get token information. Generally token will be invalid for various reasons so of the important reasons are Invalid Signature and Token expired. You can use https://jwt.io to decode your token and get the info. Your error description clearly tells the reason about why your token is considered invalid. Try deep diving into the code and see why it says invalid value.