I am trying to get the list of groups (distribution lists) for a specific user. It is getting failed.
Request is
`GET /admin/directory/v1/groups HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer ya29.Il-9B-9Z88RKqK73dr-NyeeJnCz0PqlPrMgxlr0JO6gc2q2jcROxsu7y6EaTHAlRkJatv5l3kd_PIPHrB7wXeMvfe0YTXupzupJ8-PUyrRcCIBE_qpPP8V7NoM0JJp`
But the I am getting the error response shown below.
{
"error": {
"code": 400,
"message": "Bad Request",
"errors": [
{
"domain": "global",
"message": "Bad Request",
"reason": "badRequest"
}
]
}
}
Not only when getting groups but every API call from googleapis.com is behaving like this.
I had the same error/confusion about usage of some of the google apis.
I'm assuming you're using a service account with domain-wide delegation access rights?
Assuming yes, the issue is that in addition to the service account credentials, you need to set a user that the google credentials will impersonate when making the request. That is, the domain wide delegation only allows you to act as though you are one of the actual users, on my understanding.
I couldn't see any way to set this via google base api, other than using the builder directly. Here is a sample:
static GoogleCredential createCredential(HttpTransport transport, JsonFactory jsonFactory) throws Exception {
final String credentialJsonPath = System.getProperty("user.home") + "/.config/gcloud/service-cred-from-console.json";
try (InputStream credentialStream = new FileInputStream(credentialJsonPath)) {
final GoogleCredential firstPassCred = GoogleCredential.fromStream(credentialStream, transport, jsonFactory);
return new GoogleCredential.Builder()
.setTransport(transport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(firstPassCred.getServiceAccountId())
.setServiceAccountProjectId(firstPassCred.getServiceAccountProjectId())
.setServiceAccountPrivateKey(firstPassCred.getServiceAccountPrivateKey())
.setServiceAccountPrivateKeyId(firstPassCred.getServiceAccountPrivateKeyId())
// service accounts must act on behalf of an actual user and have scope
.setServiceAccountScopes(Lists.newArrayList(GmailScopes.GMAIL_COMPOSE, GmailScopes.GMAIL_SETTINGS_SHARING))
.setServiceAccountUser("a.real.gsuite.account#example.com")
.build();
}
}
The important parts are defining the ServiceAccountUser (who you impersonate) and the ServiceAccountScope(s) you are assuming for that user.
I posted an example gmail api gist. You could run this through a local proxy like charles (et al) if you want the equiv. REST call sequence.
Related
I am trying to get the full list of my own channel's subscribers, but this does not work.
https://www.googleapis.com/youtube/v3/subscriptions?part=snippet&mine=true&key=[API_KEY]
I am following the official documentation https://developers.google.com/youtube/v3/docs/subscriptions/list
But get this error
{
"error": {
"code": 401,
"message": "The request uses the \u003ccode\u003emine\u003c/code\u003e parameter but is not properly authorized.",
"errors": [
{
"message": "The request uses the \u003ccode\u003emine\u003c/code\u003e parameter but is not properly authorized.",
"domain": "youtube.parameter",
"reason": "authorizationRequired",
"location": "mine",
"locationType": "parameter"
}
]
}
}
Currently you are only using an api key which will only give you access to public data, using mine is private user data and will require authorization.
This can be seen in the documentation page for
Subscriptions: list States
This means that you must be authorized using Oauth2 to access the subscriptions for this channel. You will then have an access token that you can send as an authorization header bearer token.
GET https://youtube.googleapis.com/youtube/v3/subscriptions?part=snippet&mine=true&key=[YOUR_API_KEY] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
I am trying to programatically access a calendar I own using the Google Calendar API list:
r = requests.get(
url="https://www.googleapis.com/calendar/v3/calendars/<the ID of my calendar which looks like mydomain_randomstuff#group.calendar.google.com>/events",
params={
'key': <the key from the API console>,
'singleEvents': True,
'orderBy': 'startTime'
}
This call fails with a 404:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
What does that error actually mean, in the context of this API?
Note:
the calendar does exist and it has events
the API limits are not even close to be reached
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
Can mean one of two things. Either the calendar Id you have typed is in correct or the user who you are authenticated with does not have access to that calendar. Make sure you are logging in with the correct user with access to that calendar. Optionally you can do a calendar.list which will return a list of the calendars that the user currently has access to. That way you wont have to worry about possibly miss typing the calendar id.
authorization
The method you are using events.list requires authorization (permission from the user) in order to access their calendar. Which can be seen in the documentation page
You need to authncate your user using Oauth2 and one of the scopes above. You will then have an access token you can use to access this calendar.
apikey
Api keys are used for accessing public data. Unless your calendar is set to public you will not be able to use it to see events. Also remember that api keys do not have access to update public calendars you still need to be authenticated to make changes to them.
Service account
If this is a server to server application you should use a service account not an API key. All you need to do is add the service account as a user on the google calendar like you would any other user. It will then have access to your calendar.
I'm using the API Explorer tool to create some request urls for google adsense. Here is the request url that the explorer tool generated that gives a response of today's earnings: https://www.googleapis.com/adsense/v1.4/reports?startDate=today&endDate=today&accountId=MY_ACCOUNT_ID&metric=EARNINGS&key=MY_API_KEY
However, when I try to use this url in the browser or in my code it gives this response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
I am not sure what I am missing it use this url. I have activated adsense apis on my google developer console.
The key parameter is the public API key for accessing public data.
The access_token parameter is used for accessing private user data.
In your case you are trying to access your private account and should be using an access token.
To obtain an access token you need to authentication your application using either Oauth2 or a service account. Once you have obtained an access token and send that with your request as so:
https://www.googleapis.com/adsense/v1.4/reports?startDate=today&endDate=today&accountId=MY_ACCOUNT_ID&metric=EARNINGS&access_token=YourAccessToken
You need to replace MY_API_KEY with your API key, and MY_ACCOUNT_ID in same fashion.
I am trying to use the transfers:insert method of the Google Admin SDK Data Transfer API. I am performing this API call as the super admin account of my domain. I have verified that API access is enabled for our domain, and that the Super Admin admin role has permission to use the Data Transfer API.
I am testing this in the APIs Explorer on this page.
55656082996 is the ID string that I got for Google Drive from the applications:list APIs Explorer.
Request:
POST https://www.googleapis.com/admin/datatransfer/v1/transfers?key={YOUR_API_KEY}
{
"oldOwnerUserId": "olduser#ourdomain.com",
"newOwnerUserId": "newuser#ourdomain.com",
"applicationDataTransfers": [
{
"applicationId": "55656082996"
}
]
}
Response:
400 OK
- SHOW HEADERS -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "Invalid value for: Invalid oldOwnerUserId."
}
],
"code": 400,
"message": "Invalid value for: Invalid oldOwnerUserId."
}
}
I get the same "Invalid value for: Invalid oldOwnerUserId." response no matter if I use email addresses or usernames. I also tried excluding the applicationDataTransfers array from the response, but that also didn't work.
The documentation does not say this, but the Id cannot be the user's email address, like in all of the other Google APIs, but rather it needs to be a numeric ID for the user that you can get using the Users:get Directory API method.
I figured this out by Google searching and coming across this documentation, where they elaborate upon oldOwnerUserId by saying "# ID"
In addition to the answer above.
Here is how you can get the employee' IDs from Gsuite API in Python 3.*
def create_directory_service():
credentials = cls.get_credentials(scopes=['https://www.googleapis.com/auth/admin.directory.user'])
return build('admin', 'directory_v1', credentials=credentials, cache_discovery=Fals
service = create_directory_service()
old_owner_google_id = service.users().get(userKey=old_owner).execute()['id']
new_owner_google_id = service.users().get(userKey=new_owner).execute()['id']
Having implemented oauth2.0 and done a handshake using the scopes:
"https://www.googleapis.com/auth/userinfo.email ",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/admin.directory.user ",
"https://www.googleapis.com/auth/admin.directory.group ",
"https://www.googleapis.com/auth/admin.directory.orgunit ",
I get back a token
the request
$ curl -X GET https://www.googleapis.com/oauth2/v1/userinfo?access_token=<Token>
{
"id": "{id}",
"email": "{email}",
"verified_email": true,
"name": "{name}",
...
}
as it should.
however a requst to the admin.directory.user namespace does not succeed:
$ curl -X GET https://www.googleapis.com/admin/directory/v1/users?access_token=<Token>
{
"error": {
"errors": [
{
"domain": "global",
"reason": "badRequest",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
Any good ideas to why this is?
The request to admin.directory.users is constructed from https://developers.google.com/admin-sdk/directory/v1/reference/#Users
I had the same problem retrieving all users through https://www.googleapis.com/auth/admin.directory.user endpoint. According to the documentation, you could do that in a specific domain by passing the domain as a parameter or get all existing users by passing the customer=my_customer parameter as follows:
Retrieve all users in a domain doc: https://www.googleapis.com/auth/admin.directory.user?domain=example.com
or
Retrieve all account users doc: https://www.googleapis.com/auth/admin.directory.user?customer=my_customer
In google playground oauth2 also you can test the above stuff by selecting Admin SDK API directory_v1 and auth/admin.directory.user.readonly to authorize the respective scope, then call the above requests.
Note that, you may need to get access to google playground within your google admin dashboard under the security apps section.
You need to specify either the domain (to get fields from only one domain) or the customer (to return all domains for a customer account).
I filed a bug to make more clear that is required to provide one of the two parameters.
At the very least, you need to include the Content-Type header:
curl -X GET -H "Content-Type: application/json" https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&access_token=<Token>
For a full script that implements this API with CURL and BASH see this answer.
Note that the documentation is currently incorrect because it lists customer as an optional parameter when it is in fact required.