I keep getting this error, I am trying to implement google reCaptcha v3, I gave myself all possible permissions on my service account but nothing seems to work.
I don't even understand the error.
these are some lines of the error from the terminal.
Error: 7 PERMISSION_DENIED: Permission 'recaptchaenterprise.assessments.create' denied on resource '//cloudresourcemanager.googleapis.com/projects/my-project-auth-330511' (or it may not exist)
...\node_modules#grpc\grpc-js\build\src\call.js:31
return Object.assign(new Error(message), status);
statusDetails: [
ErrorInfo {
metadata: {
permission: 'recaptchaenterprise.assessments.create',
resource: 'projects/my-project-auth-330511'
},
reason: 'IAM_PERMISSION_DENIED',
domain: 'cloudresourcemanager.googleapis.com'
}
],
reason: 'IAM_PERMISSION_DENIED',
domain: 'cloudresourcemanager.googleapis.com',
I would like to know what causes this error.
You should create a service account at credentials page.
Then, give reCaptcha Enterprise Agent role on creation (we did not manage to add roles to existing service-account).
Create service account
Give it some name
Assign recaptcha agent role
Related
We are using Azure AD B2C Custom policies with Microsoft Azure Active Directory to authenticate users. We implemented the password change policy as given in the example below.
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/scenarios/password-change
We created a link the user can visit and change his password. Once the password is changed, the user is redirected to the application again.
However, in some cases, we get the following error when the user is redirected to the application after changing the password.
{
"error": "invalid_grant",
"error_description": "AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1A_Dev_SignupSignin and Expected Value : B2C_1A_Dev_PasswordChange\r\nCorrelation ID: b3a2fdd5-df58-4aa1-8eca-d91503ebb75a\r\nTimestamp: 2022-08-31 12:23:48Z\r\n"
}
This error does not happen to all users. But for some users, it happens always.
We use MSAL Angular library with the following versions.
azure/msal-angular": "^2.1.1"
azure/msal-browser": "^2.22.0"
We appreciate any help to resolve this issue.
I am unable to access Microsoft Graph API's, I am getting the below error object-
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-03-11T07:17:41",
"request-id": "fa7c7d27-50f3-46ca-b7a9-25198e6cdd8e",
"client-request-id": "fa7c7d27-50f3-46ca-b7a9-25198e6cdd8e"
}
}
}
I have registered the application in the Azure registration portal, acquired client_id, tenant, and client_secret, and used that to generate an access token with the help of the below API-
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id={client_Id}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={client_secret}
&grant_type=client_credentials
The access token which I got in this response is used to further call Graph API's but it's giving me an error object attached above.
Please help me here.
This particular error is typically thrown when your application does not have the required permission to call a particular endpoint. Please go to the azure portal and grant the necessary Graph permissions for the endpoints you are calling. You can view the particular permissions you need by going to the Microsoft Graph documentation of the API you want to call and check under the permissions section. For signed in users, you will need the delegated permissions and for access as an application/daemon, you will need application permissions.
To grant these permissions, follow these steps:
Azure portal > Azure Active Directory > App Registration > All Applications > Search with your ClientID/AppID.
In that application navigate to:
Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions.
Once the permissions are added, click on Grant Admin Consent for Your Tenant.
I want to create a user who has admin rights (search, read, write) access on testIndex index. For this, I created a role testIndex_admin (ref. kibana screenshot given below) and assigned the new user this role.
However after the user logs in he only see an empty screen with a "Help us improve the Elastic Stack by providing basic feature usage statistics?" popup. On the browser console I found the following request being made which failed with 403 error.
Request URL: http://localhost:5601/api/saved_objects/_find?type=index-pattern&per_page=10000
{
"message": "action [indices:data/read/search] is unauthorized for user [user01]: [security_exception] action [indices:data/read/search] is unauthorized for user [user01]",
"statusCode": 403,
"error": "Forbidden"
}
Also, I get the following "Advanced Setting Error" popup that appears (give below)
ElasticSearch v6.3.2
Kibana v6.3.2
What can be done so that the user can access only his testIndex with all priviliges to it?
The kibana_user role grants access to the resources that are required when using Kibana.
You need to grant that role, and whatever additional roles you require to get access to the data itself.
So, if you want the user to be able to use Kibana, then you need to give them the kibana_user role.
So for example my list of roles would appear something like this:
testIndex_admin kibana_user
I use google-api-php-client library to access webmaster tools data. When I wanted to list sitemaps, it appeared Fatal error: Uncaught exception 'Google_Service_Exception'(403) User does not have sufficient permission for site. See also: https://support.google.com/webmasters/answer/2451999.'
I add the service account email address as a restrict user for my site, but error still exists.
Finally I find the answer:
A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it. See here for the different ways you can authorize your requests to the Webmaster API.
For me the problem was not the actual permission, but the way the domain name is passed. Here is my Node.js example, but the same goes for PHP:
import {JWT} from 'google-auth-library';
const client = new JWT(
null,
'service-account.json',
null,
['https://www.googleapis.com/auth/webmasters.readonly'],
);
const res = await client.request({
url: 'https://www.googleapis.com/webmasters/v3/sites/sc-domain:yourdomain.com/searchAnalytics/query',
method: 'POST',
data: {
"startDate": "2020-04-01",
"endDate": "2020-05-01",
"dimensions": ["country", "device"]
}
});
console.log(res.data);
Notice the syntax sc-domain:yourdomain.com. Passing 'yourdomain.com' will result in the error User does not have sufficient permission for site yourdomain.com.
Make sure you added the service-account email as user in search console: https://search.google.com/search-console/users
A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it.
You need to manage the service permissions via Webmaster Admin. Add your service account
whatever#developer.gserviceaccount.com
there.
I am trying to fetch user events from facebook but I am having some problem witht he request. I can access their profile image and their UID but for some reason when I try to access the events I get the following error:
{
"error": {
"type": "QueryParseException",
"message": "An active access token must be used to query information about the current user."
}
}
I have an active access token, that's what I am using to access the UID and profile pic but for some reason the events do not show up.
This is my call:
events
my login button looks like this:
<fb:login-button perms="user_events"></fb:login-button>
It also throws an error after login in.
The error is this:
The application must ask for a valid extended permission.
The invalid permissions requested were: .
I think your call url should look like this:
http://graph.facebook.com/me/events?access_token=[Your oAuth token]