I am making a smart home app using Actions On Google. I currently have a Firebase cloud function that calls the HomeGraph API with a Request Sync request.
Here's the contents of the function:
const {smarthome} = require('actions-on-google');
const app = smarthome({
key: "(My Key)"
});
//Assume UID is the id of the user that we are requesting a sync for
app.requestSync(uid).then((res) => {
return;
}, (e) => {
console.error(e);
});
In the logs for this function, I am getting the error:
{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }
This error seems like a standard Google API permission denied error response, but when would it happen in a Request Sync HomeGraph API call?
I was having this problem for quite a long time, and I decided to post the question and answer here so others don't have to spend wasted time troubleshooting.
There are two potential causes for this error to occur.
The most logical cause: make sure you provide a valid API key in the data passed in to the smarthome constructor. The example in the question is correct (of course, replace (my key) with the key you made in the console.
This was the cause of the error that I ran in to: make sure the uid you pass in to requestSync() is a valid user ID. There was a flaw in my SYNC code, therefore the user did not get created. I struggled so much on diagnosing this problem because the error message does not make sense.
Hope this helps to anyone with this problem.
Related
I am trying to fetch data from Google Sheets via the Azure Data Factory. I have a data flow configured, and a Google Sheets Linked Service configured as well. The Google Sheets Linked Service is using an API key that has no Application Restrictions, and for API restrictions, it is restricted to Google Sheets. When I test the connection, it is successful. However, when I try to fetch a spreadsheet using the data flow in debug mode, I get the error:
at Source 'GoogleSheetsOutput': Failure to read most recent page request: DF-REST_001 - Error response from server: Some({
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}), Status code: 403. Please check your request url and body. (url:https://sheets.googleapis.com/v4/spreadsheets/<my_spreadsheet_id>/values/Sheet1!A2:B3,request body: None, request method: GET)
I made a service account, and shared the google sheet with the service account e-mail, and I also shared it with the admin on the account, which is where the API Key was made.
Any ideas what I need to do here? I would also prefer to use oauth / service account instead if possible, so I am happy to go down that route if there is some documentation I can follow.
"error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" }
I tried to repro this and got the same error.
To solve this, I changed access of my google sheets from restricted to Anyone with the link
It worked and data is previewed without error.
I'm not getting a token back from my epic app.
I'm calling my app (PFI_app, non-prod. client id: [my_client_id]) from a browser script:
FHIR.oauth2.authorize({
'client_id':[my_client_id],
'scope':'openid, fhirUser,PATIENT.READ, PATIENT.SEARCH, OBSERVATION.READ, OBSERVATION.SEARCH',
'redirect_uri':[my_redirect_uri],
'state':'abc123',
'aud':'https://fhir.epic.com/interconnect-fhir-oauth/api/fhir/r4'
});
I get prompted to login at signin.epic.com and i use the credentials FHIR (username) and EpicFhir11!(password), which i got from this page: https://fhir.epic.com/Documentation?docId=testpatients.
at my redirect url page i use the following to get the access token:
FHIR.oauth2.ready()
.then(function(client){
myapp.smart = client
console.log(client);
})
BUT, i keep getting the following error message:
Failed to load resource: the server responded with a status of 400 (Bad Request)
app.html:39 https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token
i get another message saying: URL: https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token
unauthorized_client
this leads me to believe that i logged in with an improper user who isn't authorized.
ultimately, i don't get a token. any idea why? is it because I'm using improper login credentials and therfore that user doesn't have access to get a token.
also, I'm using fhir-client.js not, fhir-client-v2.js, is that a problem?
UPDATE:
so I just waited and token issue resolved itself. perhaps there was a time period I had to wait after changing my epic fhir app information at fhir.epic.com. I changed the "Application Audience" from patients to "clinicians and administrative users." I had been logging in to epic when prompted as an admin for many hours before I wrote this post, but I can't think of anything that I changed to my code. I just waited.
now my last remaining problem is that when I try and search for patients from the sandbox with this code:
var obs = await fetch(myapp.smart["state"]["serverUrl"]+"/Patient?address=123%20Main%20St.&address-city=Madison&address-postalcode=53703&address-state=Wisconsin&family=Mychart&gender=Female&given=Allison&telecom=608-123-4567",{
headers:{
"Accept":"application/json+fhir",
"Authorization":"Bearer"+myapp.smart["state"]["tokenResponse"]["access_token"]
}
}).then(function(data){
return data;
});
var response = await obs.json();
console.log( response );
I get another "unauthorized message":
Failed to load resource: the server responded with a status of 401 (Unauthorized) https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/Patient?address=123%20Main%20St.&address-city=Madison&address-postalcode=53703&address-state=Wisconsin&family=Mychart&gender=Female&given=Allison&telecom=608-123-4567
this is where I got the syntax for structuring this call to the Patient.search resource:
https://fhir.epic.com/Sandbox?api=932
any ideas why I'm unauthorized to make this call? again, I'm logged in using the provider-facing app user credentials listed here: https://fhir.epic.com/Documentation?docId=testpatients (username: FHIR)
UPDATE:
so I changed the FHIR.oauth2.ready call to include the request and it worked. I'm not sure why I couldn't include the provided token as a Bearer token in fetch but the following worked:
var req = "/Patient?address=123%20Main%20St.&address-city=Madison&address-postalcode=53703&address-state=Wisconsin&family=Mychart&gender=Female&given=Allison&telecom=608-123-4567"
FHIR.oauth2.ready( client => client.request(req) ).then(function(output){
console.log(output); /* should include search results for the patient */
});
thanks for any help
To summarize, I changed the FHIR.oauth2.ready call to include the request and it worked.:
var req = "/Patient?address=123%20Main%20St.&address-city=Madison&address-postalcode=53703&address-state=Wisconsin&family=Mychart&gender=Female&given=Allison&telecom=608-123-4567"
FHIR.oauth2.ready( client => client.request(req) ).then(function(output){
console.log(output); /* should include search results for the patient */
});
In addition, I had to wait a period of time, possibly due to the fact that I made some changes in my epic fhir app.
I'm receiving a name_taken error when creating a slack channel via the API using the conversations.create endpoint. My code was working fine up until a couple days ago, but now I get that error no matter what slack workspace I am in, even a brand new one that has no channels other than default ones. The Slack API docs say that the error means "A channel cannot be created with the given name," so it likely isn't because there is already a channel with that name, but I have no idea what else would cause this issue. I also tried testing it in Postman, and I get the same error.
However, if I make the channel name I want to create gibberish, it works. This leads me to believe that it has more to do with my slack configuration than my API request, but I am at a loss as to how. I would really appreciate any help someone could provide. Below is the code that makes the API call, as well as the response I get. Thanks in advance.
Request:
const channelName = 'moxified'
const createdChannel = JSON.parse(await request.post(`https://slack.com/api/conversations.create`, {
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: `token=${slackTokenResponse.authed_user.access_token}&name=${channelName}`, //name may change
}));
Response:
{ok: false, error: 'name_taken'}
After reaching out to a Slack developer, they explained that the interference was coming from the fact that my bot's name was also 'moxified'. To quote them, "Channel namespaces can be taken up by user groups as well as a name of a bot." I still don't get why it was working for so long without issue, but I hope this helps someone else one day :)
I'm trying to explore the Google Identity Toolkit API using the Google API Explorer. The API hints that "No auth required", however when I try to execute a request there is an error message:
This method requires you to be authenticated. You may need to activate the toggle above to authorize your request using OAuth 2.0.
If I try to use the OAuth 2.0 toggle and Authorise the API I get a 400 error:
Error: invalid_request
Missing required parameter: scope
But Google Identity Toolkit API does not declare any scopes.
Please can someone help?
UPDATE:
Further errors I get when using the API Explorer: When trying to execute the getAccountInfo request, I pass a request body with the localId field populated. The response I get is:
400 OK
- Show headers -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "INVALID_SERVICE_ACCOUNT"
}
],
"code": 400,
"message": "INVALID_SERVICE_ACCOUNT"
}
}
Here is the list of Google API scopes:
https://developers.google.com/identity/protocols/googlescopes#oauth2v2
This completely omits Identity Kit.
Tying in a random string into the scopes box produces an error:
I have guessed up that the scope should be https://www.googleapis.com/auth/identitytoolkit by looking at the pattern.
And this scope does not cause an error. So this means it is a valid scope, even though it is undocumented.
That said, I used an API request of:
POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/downloadAccount?fields=kind%2CnextPageToken%2Cusers&key={YOUR_API_KEY}
{
"maxResults": 999
}
And it produced:
200 OK
{
"kind": "identitytoolkit#DownloadAccountResponse"
}
So I will say that I have successfully executed this query while using an undocumented feature. However, it appears that the result from the server is incorrect.
This should answer your question, although the result is simply shining light on a broken server implementation.
I have not reported the bugs / undocumented feature in this answer and would appreciate assistance in that effort.
You may find how to use Google Identity Toolkit from the official site. If you really want to manually try Google Identity Toolkit API, you need to enable the API in your Google Developers Console project, create an ApiKey in the project, and call the API using a command tool like curl. The request syntax should follow the one shown in the Google API Explorer.
The google verification api is giving me a 503 error "An unexpected error occurred. Please try your request again." whenever I try to verify a domain using the TAG_MANAGER method.
This occurs when I try to use the API via the PHP client library and also when I use Google's API explorer. However, if I log in to Google Webmaster Tools and add the site, using Tag Manager as the verification method, I am able to successfully verify myself.
I've attached debugging information from the API explorer below, but it's very light on detail. My support request in the webmaster central forum has been met with deafening silence, but I'm not sure where else to ask.
Request
POST https://www.googleapis.com/siteVerification/v1/webResource?verificationMethod=TAG_MANAGER&key={YOUR_API_KEY}
Content-Type: application/json
Authorization: Bearer ya29.iAC-QBa-7nzvS2lpFFmfcej2Y0suhiWHgS8SivKN9jpYWffljsRV7rbL
X-JavaScript-User-Agent: Google APIs Explorer
{
"site": {
"identifier": "http://unit1-28leanyerdriveleanyer.com",
"type": "SITE"
},
"owners": [
"loboyle#raywhite.com"
]
}
Response
503 Service Unavailable
- Show headers -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "backendError",
"message": "An unexpected error occurred. Please try your request again."
}
],
"code": 503,
"message": "An unexpected error occurred. Please try your request again."
}
}
https://www.googleapis.com/siteVerification/v1/webResource?verificationMethod=TAG_MANAGER&key={YOUR_API_KEY}
may need to be
https://www.googleapis.com/siteverification/v1/webResource?verificationMethod=TAG_MANAGER&key={YOUR_API_KEY}
also, a few additional notes
For Google to use your Google Tag Manager container snippet code for Webmaster Tools verification, the code must be placed immediately after the opening tag of your page.
The method you provided is used for verifying a site or domain, be sure you intend to verify a site, because this is what your request currently contains.
This method requires you to be authenticated (OAuth 2.0)
http://code.google.com/apis/accounts/docs/OAuth2.html
Ensure you have visited the following link
http://www.google.com/tagmanager/features.html
I finally stumbled across the fix for this today. The problem was that the service account running the requests needs to have "View and Manage" permissions on the applicable Tag Manager account, not just on the container that is actually being used. Only view access is required to the actual container.
While this isn't exactly desirable (we have 20+ containers for different sites/applications within the one account), it does resolve the problem and allow the Tag Manager site verification to work as intended.
I'm not sure whether the documentation has been changed since I originally had this problem or whether I just missed it. The required permissions are unexpected and the response code is misleading (a 403 would make more sense).
Check if you've enabled "Maintenance Mode" on your domain you're trying to verify using Google. Disable it and you're done.