My app needs to create a Google Calendar and manage events in it for users. Google API Console allows to create a consent form for this scope:
https://www.googleapis.com/auth/calendar.app.created
It is supposed to allow creation of secondary calendars and events in those calendars. Description reads:
Make secondary Google calendars, and see, create, change, and delete
events on them
However, after a user gives permission through the consent form etc, I am getting PERMISSION_DENIED when I try to create a calendar (I am using the REST api https://www.googleapis.com/calendar/v3/calendars)
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Insufficient Permission",
"domain": "global",
"reason": "insufficientPermissions"
}
],
"status": "PERMISSION_DENIED"
}
}
My code and the rest of the plumbing (authorization code, access token etc) works because if I use this scope:
https://www.googleapis.com/auth/calendar
I am able to create the calendar.
So, anybody knows if https://www.googleapis.com/auth/calendar.app.created is deprecated or something? It is not listed in the V3 calendar documentation but I was hopping that it continue to work. I hate to ask the user for full permission to all calendars since I only want to create and access a secondary calendar and that scope supposed to do exactly what I need.
Thoughts?
As you can see under OAuth 2.0 Scopes for Google APIs, https://www.googleapis.com/auth/calendar.app.created is not a valid scope for Calendar API v3.
The documentation for Calendars:insert states that the only valid scope for creating a new calendar is https://www.googleapis.com/auth/calendar
You notice yourself that if you try to create a calendar with https://www.googleapis.com/auth/calendar.app.created - be it on OAuth2 playground or elsewhere - the request fails with a 403 error
CONCLUSION
Unfortunately https://www.googleapis.com/auth/calendar.app.created is not a valid scope, the acceptance of this scope on OAuth2 playground is a bug.
https://www.googleapis.com/auth/calendar.app.created might not seem as valid scope - but works for me.
Successfully could create new calendar with that scope, then manage events within it, and calendar itself appears on list of calendars in calendar.google.com
Can't really help much without knowing exactly the flow you have on creating and executing requests to google. Also keep in mind it worked for me with server side app. Using latest library provided by google for PHP.
Related
I need help in understanding the exact path I should follow to solve my problem.
I hava a gmail address(I can say this gmail is used by my java application) Whenever a mail comes to this gmail address. I want my application to know and get the email from my gmail inbox and proceed with the further logic.
So far Going through the google docs I have created a topic and a subscribe which has subscribed to that topic. Using push mechanism I'm also able to call my endpoint whenever a message get published manually from google console to that topic.
Now I want if any email comes to my gmail address, it should notify my endpoint and after I can just fetch the email from the gmail and proceed with the logic.
Here As I have only mine gmail address which I will be accessing I don't think I need to go for Oauth2 mechanism for gmail authentication purpose.
I went through the documentation which says. I should create a watch request, then maybe if any gmail inbox receives a mail it will notify my endpoint and then I can fetch the mail and proceed further. But I'm not sure what and how exactly I should proceed Do I need a service account if yes I have already created a service account and downloaded my private key.
GoogleCredential.fromStream(new FileInputStream("file.json"))
.createScoped(Collections.singleton(GmailScopes.MAIL_GOOGLE_COM)).createDelegated("xxxxx.iam.gserviceaccount.com");
then I'm calling watch request as :
Gmail gm = new Gmail.Builder(GoogleNetHttpTransport.newTrustedTransport(), JSON_FACTORY, googleCredBuilder()).build();
WatchResponse res = gm.users().watch("me", request).execute();
I got this error.
POST https://www.googleapis.com/gmail/v1/users/me/watch
{
"code": 400,
"errors": [
{
"domain": "global",
"message": "Precondition check failed.",
"reason": "failedPrecondition"
}
],
"message": "Precondition check failed.",
"status": "FAILED_PRECONDITION"
}
Can someone please help how exactly I should proceed to achieve my goal.
Thank you.
"Precondition check failed.",
Means that you are trying to use a service account with a standard google gmail address.
Service account authorization only works with gmail api and google workspace accounts once domain wide delegation has been configured.
You have two options
swtich to using a google workspace domain account.
Use Oauth2, set your application to production and not test so that the refresh token wont expire. Authorize your application once store the refresh token, then upload it to the server. It will be able to use the refresh token to request a new access token whenever it needs.
I'm trying to build out a migration from Google Workspace into MS365. I've tried each of MS's recommended methods; Automatic, Manual, and PowerShell. For each one, I get the same error message
post-migration
uri=https://www.googleapis.com/calendar/v3/users/me/calendarList?maxResults=250 response={ "error": { "code": 403, "message": "Google Calendar API has not been used in project 206754733531 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/calendar-json.googleapis.com/overview?project=206754733531 then retry.
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
"errors": [ { "message": "Google Calendar API has not been used in project 206754733531 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/calendar-json.googleapis.com/overview?project=206754733531 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "domain": "usageLimits", "reason": "accessNotConfigured", "extendedHelp": "https://console.developers.google.com" } ], "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.Help", "links": [ { "description": "Google developers console API activation", "url": "https://console.developers.google.com/apis/api/calendar-json.googleapis.com/overview?project=206754733531" } ] }, { "#type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "SERVICE_DISABLED", "domain": "googleapis.com", "metadata": { "consumer": "projects/206754733531", "service": "calendar-json.googleapis.com" } } ] } } . --> The remote server returned an error: (403) Forbidden.
When I follow the link
https://console.developers.google.com/apis/api/calendar-json.googleapis.com/overview?project=206754733531**
I see the following screen
Relating to the PERMISSION_DENIED portion of the error, I have ensured that the ServiceAccount associated with the project has been added to the project and has the requisite permissions based on MS's documentation.
I really don't know what I'm doing incorrectly or where I'm going wrong. I'm incredibly new to all things programming and development so I apologize if this isn't nearly enough detail. I'm happy to provide more context/info as needed.
Google Calendar API has not been used in project 206754733531 before or it is disabled
Means that the Google calendar api has not been enabled in your app or its disabled.
Here are a few things to check in order of likelihood of causing your issue.
I would double check that you are in fact checking the correct project on google developer console for the service account credentials you are using. You may have downloaded a file for a different project and are checking the wrong one.
After that i would check the quota allotment you have for the google calendar api. Click the manage button in that link. If your quota is 0 then google has disabled your access for some reason. If they have check your email they should have told you why it was disabled.
SERVICE_DISABLED
If you have created the service account on google developer console logged in as a standard gmail user its not going to work. Service accounts only work with google calendar api with google workspace.
PERMISSION_DENIED
Make sure that you are creating this service account on the domain that you intended to access. Google calendar only works with service accounts from google workspace domain accounts with domain wide delegation setup. Great guide in setting up delegation Perform Google Workspace Domain-Wide Delegation of Authority just change the scopes to the google calendar scope you are using.
The luis resources that I created aren't showing up in the Luis portal (posted a question here) so decided to use the REST APIs to configure things manually. With the REST endpoints I was able to import apps. However, I wasn't able to add LU resource to the imported apps despite that the APIs return success.
Below is the call.
POST https://westus.api.cognitive.microsoft.com/luis/api/v2.0/apps/<appid>/azureaccounts
{
"azureSubscriptionId": "<id>",
"resourceGroup": "<rg name>",
"accountName": "<resource name>"
}
returns 201 CREATED
{
"code": "Success",
"message": "Operation Successful"
}
However, a subsequent GET call returns empty result.
GET https://westus.api.cognitive.microsoft.com/luis/api/v2.0/apps/<appid>/azureaccounts
tried the GET call a couple hours after and it is still returning empty result. What is going on?
It sounds like there's something wrong with your azure account and/or your luis.ai account. There are two places to raise support requests to handle these types of matters. First is uservoice on LUIS.ai:
While issues raised here are typically routed back to the bot framework support team, once there, they can be escalated.
Secondly, you can raise the issue in Azure:
You can follow this link HERE to get to that blade quickly.
I am facing following issue when i try to update application on Luis using following request:
https://westus.api.cognitive.microsoft.com/luis/api/v2.0/apps/app-id-here
header:
Ocp-Apim-Subscription-Key:paid-subscription key
body:
{
"name": "Name of luis app",
"description": "string"
}
I am getting following error:
{
"statusCode": 401,
"message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription."
}
I am using paid subscription from Azure portal with westus region. Still facing this issue.
However, This key works when I try to get top scoring intent using following request:
https://westus.api.cognitive.microsoft.com/luis/v2.0/apps/luis-app-id?subscription-key=subscription-key-azure&timezoneOffset=-360&q=hi
This is really weird as sunscription key works for GET request but not for PUT or POST request.
Any suggestions?
PS: I am using paid subscription key.
The (subscription) keys created with a Cognitive Service LUIS resource in Azure Portal, even when added to with Assign resource in luis.ai, can only be used for runtime queries on a defined app.
The authoring endpoints on LUIS Programmatic APIs v2.0 - to create and manage apps and their elements - can only be used with the Authoring Key available in the luis.ai portal.
More information can be found in Authoring and query prediction endpoint keys in LUIS
It looks like you have two issues you are working thru here.
First, the API you are trying to post to should read "https://[location].api.cognitive.microsoft.com/luis/api/v2.0/apps/{appId}/publish". From the looks of it, you are missing the 'publish' at the end of your API call.
Second, the paid subscription key needs to be added to your LUIS app. Can you confirm it has been added? If not, follow these steps to do so:
Click Manage => Keys and Endpoints.
Next, click 'Assign resource'.
A window will pop up allowing you to select the tenant, subscription, and the key to use.
Click OK.
Click 'Publish' to make the newly generated endpoint accessible.
Make sure you add subscription primary key value in my request and also make sure you have associated your API with the product which you used the Primary key
When executing the courses.courseWork.studentSubmissions.modifyAttachments method in the Google Classroom API, a 403 error is returned when I try to add the attachment to the student's submission.
GoogleJsonResponseException:
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "#ProjectPermissionDenied The Developer Console project is not permitted to make this request.",
"reason" : "forbidden"
} ],
"message" : "#ProjectPermissionDenied The Developer Console project is not permitted to make this request.",
"status" : "PERMISSION_DENIED"
}
The call is being made from an authenticated student account and being added as a Link resource. The Developer Console project DOES have the Google Classroom API enabled, and other calls to the Google Classroom API are working fine, such as courses.list and courses.courseWork.studentSubmissions.get. What am I missing? The same error is returned when using the Try it! app in the Google Classroom documentation site.
When modifying assignments/courseWork or student submissions, only the Developer console project that created those objects can modify them. This means that only projects that created the corresponding course work can modify them, otherwise a 403 PERMISSION_DENIED error is returned. You can easily determine if the course work item is associated with the Developer Console project making the request by checking the associatedWithDeveloper property on the Google Classroom course work response.
It took me a while to figure this out myself, but the best way to go in my opinion is to first create the coursework (i.e. assignment or question) itself with Google Script or using the Classroom API. The coursework is then associated with the correct console project and you are cleared to manage the submissions from thereon.
All Classroom API methods may return a PERMISSION_DENIED (HTTP 403) error if an end user does not meet prerequisites for access. The message accompanying the error contains an error message to help you identify the cause and direct users to take the appropriate action.
ProjectPermissionDenied indicates that the request attempted to modify a resource associated with a different Developer Console project.
Possible Action: Indicate that your application cannot make the desired request. It can only be made by the Developer Console project of the OAuth client ID that created the resource.