I'm getting 417 error when calling https://apple-pay-gateway.apple.com/paymentservices/startSession with body:
{
"merchantIdentifier": "merchant.com.***",
"displayName": "***",
"initiative": "web",
"initiativeContext": "***"
}
The response I get:
{
"statusMessage": "Payment Services Exception merchantId=2B4D7F37BB3374A2C6B9F28C1042C408F9727EFE09C21EE71297302EBC830DF0 not registered for service",
"statusCode": "417"
}
Strange thing is with the same setup approximately 1% of calls returned the correct session, but most of the time api responds with 417. I've already tried to remove whole merchant identntifier and created new with all the new certs and domain registration - didn't help, now I get 417 for all requests. Any ideas? I could not find any information on apple docs what this error actually means.
Config below:
I've already tried:
creating new apple merchant identifier, merchant certificate, payment processing certificate from scratch three times
I've added and validated domain for frontend website and api
I've tried to make a request locally from postman and from the deployed api on validated domain - in both cases I'm using mechant certificate and private key
I've also tried to cnofigure the merchant identifier I'm using as part of Apple App ID Configuration - so it's assigned to Apple Pay Payment Processing capability. I want to use apple pay web integration, so this step does not make much sense anyway.
Related
I'm attempting to access the Admin SDK Directory API using a service account with domain wide delegation and the REST API. I can obtain a bearer token successfully when not impersonating a user, but with I attepmt to impersonate a user with a "sub" key, I receive a 401, "unauthorized_client" error. From everything I've read online (both in numerous SO answers & elsewhere), this would indicate that I haven't approved the application in my GSuite Admin console, but this is not the case.
Here are the steps I've taken so far.
1) Enable the Admin SDK
2) In IAM & Admin area, create a service account with DwD.
3) In Apis & Services area, select credentials and create service account key for the service account I just created.
4) Download the private key file.
{
"type": "service_account",
"project_id": "gsuite-REDACTED",
"private_key_id": "------3d2e",
"private_key": "REDACTED",
"client_email": "REDACTED-320#gsuite-REDACTED.iam.gserviceaccount.com",
"client_id": "-----0381",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/REDACTED-320%40gsuite-REDACTED.iam.gserviceaccount.com"
}
5) Enable API Access in admin.google.com
6) In "Manage API client access" add the Service Account ID and the following scope for the client created in (3)
7) Ensure that the user I plan to impersonate is a "super-admin"
When I attempt to generate the bearer token I receive a 401 error
{
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method."
}
I've tried using various libraries but always with the same result, so I'm guessing this has something to do with my app configuration rather than my code implementation. Would appreciate any help. For example, here I am using Ruby:
require 'googleauth'
scopes = ['https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.group']
authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
json_key_io: File.open("gsuite.json"),
scope: scopes).dup
authorizer.sub = 'joe#-----.io'
puts authorizer.fetch_access_token!
I figured out the problem - it was configuration not code. In Step 6, when I was autorizing the API client, I was entering the "Service account ID", in my case: "REDACTED-320#gsuite-REDACTED.iam.gserviceaccount.com". Although this appears to work - the correct numerical ID appears (as shown in screenshot) - I was getting 401 errors.
However, when I entered the "client_id" from my private key file, in my case a number ending in 0381, and used the same scope, THEN I could authenticate successfully.
It's frustrating that entering the service account id didn't throw an error., but all's well that ends well.
How long have you waited after step 6? Getting access after it's entered into the admin console can sometimes take a few hours.
I am trying to implement server-to-server integration with Dynamics CRM Online 2016 and BizTalk 2013 R2. I am using the WebHttpBinding to call the CRM web API, which requires a bearer token supplied as an http header:
Authorization: Bearer [base64string]
I have written a client message inspector which calls Azure AD using ADAL to acquire an access token. This is secured with a client assertion certificate, which is assigned to the registered app in our AD tenant:
var token = context.AcquireTokenAsync(this.ResourceUri, assertionCert).Result;
ResourceUri is https://[myorganisation].crm4.dynamics.com
assertionCert is a ClientAssertionCertificate created using the app registration application ID and an x509 certificate in the machine certificate store that is registered to the app as a KeyCredential
This 'works' in that it returns a token and I can decode this token to inspect the claims - there are a fair number of them, I have no way of telling whether this is the set of claims that CRM requires.
The AD app registration is configured with delegated permissions to the CRM instance.
I have set the application ID in the CRM local user to that of the app registration.
Upon calling the webAPI and supplying this token, CRM responds with 401 unauthorized.
I have repeated the same process in a powershell script and in PostMan, all of which appear to show the same behaviour.
What else am I supposed to do to make CRM accept my access token?
edit #1: Tried hardcoding the authority URI to https://login.windows.net/[my-tenant-id]/oauth2/token rather than what comes out of dynamically acquiring the authority through AuthenticationParameters - this is the same value except ending with /authorization instead of /token. This makes zero difference.
edit #2: An administrator I am working with pointed out to me that the application user I am expecting to use had no user roles assigned - this has been amended to have a role which should allow API access, but this also made no difference.
edit #3: Set oauth2AllowImplicitFlow to true in the manifest for the app registration. This doesn't make any difference.
edit #4: Made some progress by creating a new app registration, this time as a Native app rather than a web app. I managed to get a token using a client secret, and this was accepted - BUT when assigning a certificate to the app, and presenting a ClientAssertionCertificate as before, I get the response from the authority:
Error validating credentials. AADSTS50012: Client is public so a client_assertion' should not be presented.
WHY? What does 'Client is public' mean? Just work!
Hrrrmph!
Turns out that the original situation I had tried and failed with, now works.
Web application registration with delegated permissions to CRM Online
Install a client certificate on the client machine, and register this same certificate to the app using New-AzureADApplicationKeyCredential
Link the app registration to a CRM Application User created for this purpose (they are fundamentally different to interactive users) - n.b. this screen is not easy to find
Call AcquireTokenAsync() from ADAL
Just works
I am at a loss to explain why this didn't work the first time I tried it, as CRM doesn't supply any information as to why token validation failed.
I wrote a PHP application which tries to create an User in my Google Directory. I don't use the Google Libraries. I succeded making requests to the Android Enterprise API. I can enroll and unenroll Enterprise Service Accounts with my MSA. So I assume my Code for the JWT and Requests work.
I created a Service Account and enabled "Domain Wide Delegation" and added the following permission "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group" to my API Client under the "Manage API client access" windows.
My Service Account has the status role "Editor" in the "Permissions for project" windows.
So first my script gets the Bearer token from the Google Server, for that I create a JWT and encrypt it with my private key.
The Token contains the following fields
"iss" => sacname#projectname.iam.gserviceaccount.com
"scope" => "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group"
"aud" => "https://www.googleapis.com/oauth2/v4/token",
"exp" => timestamp+3000,
"iat" => timestamp
When I do that request I get a bearer token, but when I use that token to make the insert request I always get the message "Not Authorized to access this resource/api" with an HTTP 403.
When I add the field "sub" to my JWT and specify the email of the Project admin "admin#mydomain.com" I can't even get the bearer token, then I get a 401 error with the following message "Unauthorized client or scope in request."
After that I tried something "easy", I just wanted to get a list of all users in my directory. But the Google Server just reponds with an "bad request" error. I got the same error with the API Explorer which is on API Page. Maybe the API is broken ? At least the API Explorer should work.
https://developers.google.com/admin-sdk/directory/v1/reference/users/list
Do you have some ideas why I can't create users with my service account ?
(I had to insert some spaces in the scopes and urls because I'm not allowed to post more than two links)
Greetings
Philip
Adding the sub claim is the right thing to do, because you must impersonate a super admin to use Directory API. If you get a "Unauthorized client or scope in request" response, that might be because there's a typo in the service account client ID you used to authorize (or the scopes), or that not enough time has passed (it usually propagates within a few minutes, but could take up to 24 hours).
See JWT error codes for more details on possible errors and causes.
Do you have some ideas why I can't create users with my service account?
Yes. Your service account seems to have no authority to create users. Check your Service Account's role in GDC to check if it's Owner, Editor, Viewer,etc. The scope of what they can do depends on that. Watch this Google video for a live demo.
Also, try to read more on Using OAuth 2.0 for Server to Server Applications.
I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.
I'm using Google client libraries and trying to make a GET request to Google Play API.
GoogleCredential credential= new GoogleCredential.Builder().setTransport(netHttpTransport)
.setJsonFactory(jacksonFactory)
.setServiceAccountId(CLIENT_ID)
.setServiceAccountScopes(SCOPE)
.setServiceAccountPrivateKeyFromP12File(file)
.build();
credential.refreshToken();
HttpRequestFactory requestFactory =netHttpTransport.createRequestFactory(credential);
GenericUrl url = new GenericUrl(URI);
HttpRequest request = requestFactory.buildGetRequest(url);
HttpResponse response = request.execute();
I get
{
"code" : 401,
"errors" : [ {
"domain" : "androidpublisher",
"message" : "This developer account does not own the application.",
"reason" : "developerDoesNotOwnApplication"
} ],
"message" : "This developer account does not own the application."
}
My app is unpublished, would that cause the problem?
I've got the same problem. It occurs because you authorize user in Google API who does not own the application and try to get data that belong to your app.
In this topic it is well described. http://support.google.com/googleplay/android-developer/bin/answer.py?hl=en&answer=2528691&topic=16285&ctx=topic
You should authorize by OAuth2 the owner of application, and then use Google API with obtained token.
The problem is you are using the Service accounts OAuth 2.0 flow to authorize to the android-publisher API. I was doing it the same way. However, Google requires to use the Web server applications flow, which is ridiculous, since a human interaction is needed to allow for the API access.
Fortunately there is a way around it. You just have to obtain the refresh_token, store that and keep using it for future API calls. I wrote about it in more detail on my blog.
We also struggled with this problem as we wanted to validate a purchase on our servers in order to unlock certain features. We tried multiple solutions and frameworks, written by fellow community users and even official implementations but none worked.
Turns out all we had to do was renew our OAuth token (which we just created) and then it all started working.
I suspect that problem is exactly in publishing. You first need to bind your app to your (developer) account and then you will receive CLIENT_ID and other credentials (such as secret key and so on).