I am trying to set mail categories from an Outlook AddIn, via MS Graph.
When I call the PATCH for a users mailbox, this is working like a charme. Like this:
PATCH https://graph.microsoft.com/v1.0/users/{some-users-mail-address}/messages/{message-id-to-categorize}
If I use a share mailbox instead I get an error 403.
I already added the permission:
Mail.ReadWrite
Application
Read and write mail in all mailboxes
This should be enough, right? From the description, I'd expect this to include the shared mailboxes, too.
I found there is a delegated permission Mail.ReadWrite.Shared, but I cannot use it since I am not in a context with a user and is not selectable as application permission.
Found this:
Generated token is not able to access Graph APi to read shared mailbox messages
Admin consent is given for all scopes.
EDIT: If I check the token as Shiva Keshav Varma suggested it prints:
"aud": "https://graph.microsoft.com",
"idtyp": "app",
"roles": [
"Mail.ReadWrite",
"User.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"Mail.Read",
"MailboxSettings.ReadWrite"
],
"ver": "1.0",
Related
I have created a Service account and I need to move event1 from calendar1 of User1 to calendar2 of User2.
When I request access token as User1 with "sub":"user1#gmail.com" during JWT step and using that token When I do following
POST https://www.googleapis.com/calendar/v3/calendars/User1calendarId/events/event1Id/move?Destination=user2calendarId
I get following error
{
"error": {
"errors": [
{
"domain": "calendar",
"reason": "requiredAccessLevel",
"message": "You need to have reader access to this calendar."
}
],
"code": 403,
"message": "You need to have reader access to this calendar."
}
}
Are there any permission that needs to be assigned to Service Account in order to make this operation? or What should be correct way to move event between different user's calendar as a Service Account?
Explanation:
The scopes you are adding to your application are classified as sensitive scopes, as they request access to private user data such as Calendar events.
Your application would need to undergo a verification process to be able to use these scopes. For more information, please check the official documentation.
Sensitive scopes
Some of the scopes used by the following APIs are considered sensitive; see the API documentation or look for the lock icon in the Cloud Console. If your app requests sensitive scopes, and doesn't meet any of the criteria for an exception (see below), you will need to verify that your app follows the API Services User Data Policy.
For a complete list of Google APIs, see OAuth 2.0 Scopes for Google APIs. To check if scopes are sensitive or restricted, add the scopes to your project via the Google Cloud Console.
I have a question about the top-level access token that is returned after the "Add to Slack" button is clicked and consent is granted.
This is the JSON response:
{
"access_token": "xoxp-XXXXXXXX-XXXXXXXX-XXXXX",
"scope": "incoming-webhook,commands,bot",
"team_name": "Team Installing Your Hook",
"team_id": "XXXXXXXXXX",
"incoming_webhook": {
"url": "https://hooks.slack.com/TXXXXX/BXXXXX/XXXXXXXXXX",
"channel": "#channel-it-will-post-to",
"configuration_url": "https://teamname.slack.com/services/BXXXXX"
},
"bot":{
"bot_user_id":"UTTTTTTTTTTR",
"bot_access_token":"xoxb-XXXXXXXXXXXX-TTTTTTTTTTTTTT"
}
}
In documentation https://api.slack.com/docs/slack-button, the only place that mentions the top-level access_token is "Use the top-level access_token value for other integration points."
Could you please give some examples on how the top-level access_token will be used?
This is the standard response from Slack after a successful installation of your app to a Slack workspace, e.g. via "Add to Slack" button.
You get two tokens, which have different meanings:
access_token: This is called the user token. It allows your app to work directly on behalf of users, based on the OAuth scopes they award to your app. e.g. it can upload files on behalf of the user that installed the app. You always get this token if you install a Slack app.
bot_access_token: bot token, which allows your app to work on behalf of its bot user and always has the bot scope. You only get this token if your app includes a bot user.
If you have both tokens I would recommend to use the bot token primarily, because that way all your actions will clearly show as being related to your app.
Note that not all API methods work with a bot token. (check the documentation of your API method to find out which token works)
I guess Gmail API doesn't provide any way to get users profile image.
I can use Google+ API to get the url but I should have user's google+ username.
I only have user's email id and his/her account access token(gmail).
The answer to this question points to a url hosted by picasaweb.google.com which is discontinued now and also does not return any result for emailid of users with Gsuite account.
If you have authenticated the user. You should be able to use people.get
GET https://www.googleapis.com/plus/v1/people/me
response
"image": {
"url": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg?sz=50",
"isDefault": false
},
This will require that you have profile scope requested or one of these.
https://www.googleapis.com/auth/plus.login or https://www.googleapis.com/auth/plus.me
It will also require that the user created a google+ account. This is the only way to get the users profile picture unfortunately.
Option two is the people api which is linked to google contacts which may include the users profile picture if they added it. People.get
GET https://people.googleapis.com/v1/people/me?personFields=photos
Also returns
"url": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/s100/photo.jpg"
I have a web application where users can sign in with their username and password or with Google Account. If the email from their Google Account happens to be one of the users' email, this user is signed in. In the response from Google API on sign in I get their avatar.
Is it possible to get user's avatar from Google Account just by email without them having to sign in?
While technically speaking a users profile info should be public. You shouldn't need access to see a users google avatar. The problem is that there is no way to search for a user based upon their email address.
I tried people api, gmail api, contacts api, google plus api. None would allow me to search unauthenticated for a user based upon their email address.
update
after google+ shutdown this workaround no longer works
The only thing I did find that worked was this.
http://www.google.com/profiles?q=myemail#gmail.com
Which will really only work if the user has a Google+ account. You should be able to scrape the users id off of that then run an Activities: search which would return any posts they had made and in that contains.
"actor": {
"id": "117200475532672775346",
"displayName": "Linda Lawton",
"url": "https://plus.google.com/117200475532672775346",
"image": {
"url": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAdVM/sHkU9F-AwwQ/photo.jpg?sz=50"
},
Again all of this will only work if the user has a google+ account and actually uses it.
I'm making an application that requires access to the shared/room-resource calendars in an Office 365 instance, using non-admin accounts. I've registered an app (in the Microsoft Application Registration Portal) using the V2 endpoint and Auth Code Grant. This successfully allows me to log in, and gives me a functional token with the Calendars.ReadWrite.Shared scope. With this token, I can retrieve my own calendars, and calendars that have been explicitly shared with me (and therefore added to my list of calendars). All of this is doable with just the normal Calendars.ReadWrite scope.
However, I get errors when requesting access to any other shared calendars, like the room calendars. Here's an example. If I make a GET call to https://graph.microsoft.com/beta/users/my-own-email#business.com/calendars it successfully returns a list of my calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/calendars I get a 404 (Not Found) Error. The same error occurs for any other user, not just meeting rooms. Note that I can see these calendars when I'm logged into Office 365 online with the same account.
A different error occurs if I ask for events not calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/events, I get a 500 (Internal Server) Error.
I've checked all the other threads I can find on the issue, and this one from November How to access shared calendars from Office REST API? says there's some kind of blocking issue on Microsoft's end. It's using the Office REST API rather than Graph, but on the back-end the APIs call the same stuff. Is this issue still about? Alternatively, am I missing some further permissions? I tried adding quite a few different permissions on top of Calendars.ReadWrite.Shared, but none of them fixed it. Is there a correct combination?
Thanks so much for any help, and let me know if any other info would be useful for diagnosis.
So if anyone else happens to be interested in this, I figured out a way to access room resource calendars without using the Calendars.ReadWrite.Shared permission. This allows you to use just the Calendars.ReadWrite permission to access the room resources, by moving them into the list of calendars of the email you're authenticating with. However, it will only work for specific accounts that you share the calendars with, so won't be usable in apps that have to work for any account. This is good enough for my use-case, but may not be for yours.
First, find or make an account that is a delegate to, and has full access to, the room resource calendar you want to use. On that account click 'Open another mailbox' in the dropdown list under your profile image.
Open another mailbox location
In the pop-up that follows, put in the email address of the room resource calendar that you want to use.
Then, on the new page that opens (which should be the Office account of the room resource calendar):
Navigate to the calendar page
Click 'Share'
Share the default calendar with the account you plan to authenticate with.
Then log into that 'authentication' account, check its email for the notification of the shared calendar, and click 'accept'. What this will do is move the calendar into the authenticated account's list of calendars, meaning you can access it with just a call to the https://graph.microsoft.com/v1.0/me/calendars endpoint. You'll have to repeat it for every calendar you want to be able to access, sadly.