I have GSuite Service Account and My app uses following scopes (these are working fine) :
https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive.photos.readonly
Now I Have to access gsuite groups, As mentioned here in api documentation : https://developers.google.com/admin-sdk/directory/v1/reference/groups/list
I Added these two scopes :
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.group
in my already existing scopes, and I'm unable to authorise my application now.
When I try to check this via api explorer in the above link, It throws an error : 400 - Bad Request. But the strangest thing happen, it returned 200 ONCE only while trying and returned the group I created, But I'm unable to make successful call again and keeps getting error.
Is there anything I'm missing here? Any help will be really appreciated.
Thanks.
NOTE: I can access gsuite users with above scopes as well, the issue is only with the groups.
As is mentioned on the documentation, 400 error is not related to the scopes that you are using. However the explorer API information is not correct as the "Customer" field is required, You can try it typing my_customer on that field and you should get a 200 if your user has the proper permissions.
I have submitted a request to update the current documentation.
Related
I got this error when I create new client secret in new project.
That’s an error.
Error: restricted_client
Unregistered scope(s) in the request: https://www.googleapis.com/auth/youtube.readonly
Request Details
access_type=offline
response_type=code
client_id=487794563386-mujtj6b5iatnmvdailldn468gg028p8g.apps.googleusercontent.com
redirect_uri=http://localhost:61515/authorize/
scope=https://www.googleapis.com/auth/youtube.readonly
That’s all we know.
How could I fix that ?
403 errors are errors with the users access. The user you are currently authenticated with does not have permission to do what you are trying to do in your case it appears to have something to do with the following scope.
https://www.googleapis.com/auth/youtube.readonly
Its hard to know what you are doing without seeing your code. I suggest you attempted to authenticate your user again. IF you changed the secret then its not going to work with a refresh token generated by another secret.
I am going to contact Google to be sure that there hasnt been any changes recently. I cant see anything in the change logs myself. There may have been a stealth change that they didnt release.
Status
This happens in the API Explorer and using the .NET client API. In the API Explorer, I was trying to use the query param, but eventually I just removed it and now send the request with no params, and it still turns around 400 even though I am authenticating successfully with OAuth2 in browser.
Why is this endpoint broken?
https://developers.google.com/admin-sdk/directory/v1/reference/users/list
The problem was the customer field was not filled in. It must contain a valid customer id. Once I populated that, it worked.
Really wish Google would work on providing better error feedback and improve their docs. This field (as of today) is still listed as optional.
As the documentation says:
either the customer or the domain parameter must be provided
I tried to specify domain name and it worked.
We have a web application with Google calendar API using OAuth 2.0 client IDs.
The problem is that it works well with the Test app:
http://test.our-domain.com
BUT it doesn't work in the production that has SSL.:
https://app.ourdomain.com
Both are on the same server and on the same domain,
Both are authorized in the Credentials page as
http://test.our-domain.com/callback
and
https://app.ourdomain.com/callback
When the user sign in it looks like the process is OK but the Token does not being saved.
Here is the error we have on the production log - Please help...
2017-11-23 22:49:56,656 [ 33] ERROR DotNetOpenAuth.Http
- WebException from https://accounts.google.com/o/oauth2/token: { "error" : "redirect_uri_mismatch" }
2017-11-23 22:49:56,656 [ 33] ERROR
Client.Management.UserCalendarEntryController
- Failed to get google authenticator for XXXXXXXXXXXXXXXXXX
Blockquote
As referred with this thread, the redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
Also, be noted that updating the google api console can take some time. Generally only a few minutes but sometimes it seems longer.
(I found your post on xplace, I don't have an account there) - I can help you debug the issue if you'd like. feel free to leave your email and I'll reach out.
I wrote a PHP application which tries to create an User in my Google Directory. I don't use the Google Libraries. I succeded making requests to the Android Enterprise API. I can enroll and unenroll Enterprise Service Accounts with my MSA. So I assume my Code for the JWT and Requests work.
I created a Service Account and enabled "Domain Wide Delegation" and added the following permission "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group" to my API Client under the "Manage API client access" windows.
My Service Account has the status role "Editor" in the "Permissions for project" windows.
So first my script gets the Bearer token from the Google Server, for that I create a JWT and encrypt it with my private key.
The Token contains the following fields
"iss" => sacname#projectname.iam.gserviceaccount.com
"scope" => "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group"
"aud" => "https://www.googleapis.com/oauth2/v4/token",
"exp" => timestamp+3000,
"iat" => timestamp
When I do that request I get a bearer token, but when I use that token to make the insert request I always get the message "Not Authorized to access this resource/api" with an HTTP 403.
When I add the field "sub" to my JWT and specify the email of the Project admin "admin#mydomain.com" I can't even get the bearer token, then I get a 401 error with the following message "Unauthorized client or scope in request."
After that I tried something "easy", I just wanted to get a list of all users in my directory. But the Google Server just reponds with an "bad request" error. I got the same error with the API Explorer which is on API Page. Maybe the API is broken ? At least the API Explorer should work.
https://developers.google.com/admin-sdk/directory/v1/reference/users/list
Do you have some ideas why I can't create users with my service account ?
(I had to insert some spaces in the scopes and urls because I'm not allowed to post more than two links)
Greetings
Philip
Adding the sub claim is the right thing to do, because you must impersonate a super admin to use Directory API. If you get a "Unauthorized client or scope in request" response, that might be because there's a typo in the service account client ID you used to authorize (or the scopes), or that not enough time has passed (it usually propagates within a few minutes, but could take up to 24 hours).
See JWT error codes for more details on possible errors and causes.
Do you have some ideas why I can't create users with my service account?
Yes. Your service account seems to have no authority to create users. Check your Service Account's role in GDC to check if it's Owner, Editor, Viewer,etc. The scope of what they can do depends on that. Watch this Google video for a live demo.
Also, try to read more on Using OAuth 2.0 for Server to Server Applications.
I was able to successfully log in using Google Classroom and pull the course data during the trial. This was on my local machine. Now I have moved to my test server. I can still log in via google but can no longer pull the course data. I have already updated my client_secret file (updated the appropriate endpoints) but i get the following error after calling classroom.courses.list
Error: No access or refresh token is set.
Would appreciate anyone's help. I do have Google Classroom API as one of my APIs. Not sure if it's because i'm now on a domain instead of my localhost.
Sadly, I was doing a 2 part registration. The first past, I was setting the token. When the page was submitted again with new details from the user, when I was making the call to google, I hadn't set the token.