I'm having a problem with the only limited access methods in shopping-content Api, my role in the account is owner but i'm getting 403 error permission denied
403 error
Limited access means that the method is only available to certain accounts. The problem is that the method is not enabled for your account.
If you are talking about the order related methods, you can try enabling the "Buy on Google" program on your account. For other methods, you can try reaching out to support and ask to have your account whitelisted.
Related
We have an application hosted in GCP which uses GSuite APIs to sync users from GSuite to our application and visa-versa using Service Account. It used to work well until recently some of our customers started facing issues.
We started getting
401 unauthorized. "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There as been no change in our application and neither in the list of permissions granted. Following are the list of api access granted :-
https://apps-apis.google.com/a/feeds/domain,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.user,**
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.metadata,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/drive.apps.readonly,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/drive.scripts
The affected GSuite domains were working perfectly until yesterday. Also there are some domains which still work without any problem.
Can somebody please suggest what could the problem be. Is there any change in the APIs recently? Any help will be much appreciated.
"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There are several ways to authenticate to Google.
web based applications
native applications
mobile applications
and service accounts
The clients you create for these types is different as is the code to use them. The message you are seeing above means that the code you are using does not match the type of client you have created.
Make sure your code is designed for use with service accounts and make sure that the credentials file you have downloaded from google developer console is in fact credentials for a service accounts.
Why it worked previously and suddenly stopped i cant tell you this is an error you will always get if your code does not match your credential type.
The last option would be to double check that all of those apis are enabled in the Google developer console for your service account project.
I got the super admin privileges for to my Google Account.
I need to get the list of all the chrome devices through an API.
I did enable Google Admin SDK but still facing some issues.
I copied the exact python script from Python Quickstart for checking but still getting error as
"googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&orderBy=email&alt=json&maxResults=10 returned "Insufficient Permission">"
When checked on Admin SDK API dashboard I can see 4xx errors for every call made from my python script.
When you run the sample you need to make sure that this step
The sample will attempt to open a new window or tab in your default browser. If this fails, copy the URL from the console and manually open it in your browser.
If you are not already logged into your Google account, you will be prompted to log in. If you are logged into multiple Google accounts, you will be asked to select one account to use for the authorization.
Is done from the Google account which has access to your admin account. The user you are logged in with now does not have access.
I managed to get Super Admin access of Google account and then grant access to my project for different scopes. The docs/ references are so confusing hence it took a while for me to figure it out. So under the admin console, we have to get into Security >> Advanced Settings >> Manage API Client Access(under Authentication) and then add the client name and the scopes(multiple scopes separated by commas) for which we need access. Client name is the client-id which we can get from the client-secretxxxxx.json file(downloaded while creating the oauth id).
NOTE :- You do NOT need super admin access it is just that I was new and the guy who gave me the initial access wasn't sure what has to be enabled across.
Also couldn't post as a comment due to the limitation of characters.
our company is developing some services which use Google's ADMIN SDK apis.
Our problem is that when we call the apis endpoints it starts to say "403 insufficient permissions".
If we change the server with another IP then the service works again without any trouble.
Since we need to use the IP where we get "insufficient permissions" is it possibile that this is blackisted? And if so is it possibile
to whitelist them?
We havn't found any answer to this question in the documentation.
Thanks in advance
Antonio
Insufficient permissions does not mean you have been black listed. It means that you are trying to execute a method against the API that you haven't been authenticated for.
You specify what access you need by the scope command in your authentication process. There are a large number of scopes.
Lets say I authenticate my user with
https://www.googleapis.com/auth/admin.directory.group.member.readonly Scope
for only retrieving group member roles and information.
This will only give me read-only access to the group member directory.
What happens if I try and do Users: insert the documentation states that I need the scope of https://www.googleapis.com/auth/admin.directory.user. So if I try and insert a user when I only have read only access I am going to get
403 insufficient permissions
i am a google apps account user. I get this error when i try to access Google Plus Domains API. "Access to the Google+ Domains API is not allowed as the user has consented to incompatible scopes". The scopes that i requested for are: "https://www.googleapis.com/auth/plus.circles.read,https://www.googleapis.com/auth/plus.circles.write,https://www.googleapis.com/auth/plus.media.upload,https://www.googleapis.com/auth/plus.stream.read,https://www.googleapis.com/auth/plus.stream.write,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly". I have been trying in vain for a long time to solve this. Can someone throw light on this?
Is it possible the user has previously consented to an app in the same project with scope https://www.googleapis.com/auth/plus.login? That scope is incompatible with the domains API, which may be causing the issue.
If this is your own user you are testing with, the easiest way might be to revoke all access to the app from your user settings, (https://security.google.com/settings/security/permissions) and seeing if you get the error then.
I know if a super administrator grants access to an application, that application (using OAuth) can access any user's (with that domain) calendar.
Does the same apply to a user's contacts (not shared contacts)? From my testing, I keep getting 403 Forbidden, meaning it's not possible.
Do you have the scope defined correctly for using the contact API?
https://developers.google.com/google-apps/contacts/v3/#authorizing_requests_to_the_api_name_service