We have an application hosted in GCP which uses GSuite APIs to sync users from GSuite to our application and visa-versa using Service Account. It used to work well until recently some of our customers started facing issues.
We started getting
401 unauthorized. "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There as been no change in our application and neither in the list of permissions granted. Following are the list of api access granted :-
https://apps-apis.google.com/a/feeds/domain,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.user,**
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.metadata,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/drive.apps.readonly,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/drive.scripts
The affected GSuite domains were working perfectly until yesterday. Also there are some domains which still work without any problem.
Can somebody please suggest what could the problem be. Is there any change in the APIs recently? Any help will be much appreciated.
"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There are several ways to authenticate to Google.
web based applications
native applications
mobile applications
and service accounts
The clients you create for these types is different as is the code to use them. The message you are seeing above means that the code you are using does not match the type of client you have created.
Make sure your code is designed for use with service accounts and make sure that the credentials file you have downloaded from google developer console is in fact credentials for a service accounts.
Why it worked previously and suddenly stopped i cant tell you this is an error you will always get if your code does not match your credential type.
The last option would be to double check that all of those apis are enabled in the Google developer console for your service account project.
Related
I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
Since approx 5:30 UTC we are receiving only this response for this api call
https://www.googleapis.com/appsmarket/v2/customerLicense/{appId}/{customer}
{"error":{"errors":[{"domain":"global","reason":"forbidden","message":"Not authorized to access the application ID"}],"code":403,"message":"Not authorized to access the application ID"}}
but there has not been any previous development or changes on our side and this affects all of our marketplace applications.
Any ideas what is going on and how to fix/workaround this issue?
This issue should now be fixed by Google.
If you are still experiencing 403 Forbidden on marketplace API calls make sure you are following these guidelines
Access to these APIs is restricted: only project members of the
Developer Console project associated with your application may use the
API. Specifically, these project members must be in Can Edit or Is
Owner roles. You may also access UserLicense and CustomerLicense as
the logged in user to your app. Refer to
https://cloud.google.com/compute/docs/access/add-remove-change-permissions-for-team-members to learn how to
add members to your project.
For example by doing the API requests using a service account in the Google Cloud Platform Project for you application without using any impersonation/delegation.
I'm using the Google's PHP API Client, release 1.1.6.
We have a company Google account which controls our many Google Analytics account as well as our Google Developer apps.
I'm working on an app accessing our Google Analytics, using a Service Account set-up. I'm using the same code provided here:
https://developers.google.com/api-client-library/php/auth/service-accounts#delegatingauthority
$credentials = new Google_Auth_AssertionCredentials(
$client_email,
$scopes,
$private_key,
'notasecret',
'http://oauth.net/grant_type/jwt/1.0/bearer',
$user_to_impersonate,
);
In this case $client_email is the App Service Account client (random-chars#developer.gserviceaccount.com) and $user_to_impersonate is our company's Google Account.
As of a couple days ago this was all working correctly, and I could access all our Google Analytics accounts through the API after the above authentication. As of yesterday, I'm getting this error:
Error refreshing the OAuth2 token, message: '{
"error" : "unauthorized_client",
"error_description" : "Unauthorized client or scope in request."
}'
With the $user_to_impersonate parameter removed the authenticated works without error. However, I've been using the $user_to_impersonate as we have several hundred GA accounts and the Service Account client is not a permitted user on them (and would have a limit of 200 accounts anyway).
I couldn't find any recent updates to the way Google Dev's authentication works, but maybe I'm missing something.
Any ideas?
UPDATE: Apparently this was a temporary error with Google's overall API, and is now fixed:
https://github.com/google/google-api-php-client/issues/891
UPDATE 2: Wasn't a temporary issues after all. The solution, if others need, is listed here. Basically giving your app perpetual access to the given account/scope.
https://github.com/google/google-api-php-client/issues/801#issuecomment-171417538
Google probably changed the handling of service accounts and this doesn't work anymore. It's not related to specific Google API client (PHP) nor specific API (Analytics), but it seems to me as a general change which affects everything.
I have a simple Ruby code that I combined from several examples. It uses Google+ Domain API. I followed all steps to authorize a service account (https://developers.google.com/+/domains/authentication/delegation), but my requests fail with 403 Forbidden:
{"error"=>{"errors"=>[
{"domain"=>"global", "reason"=>"forbidden", "message"=>"Forbidden"}],
"code"=>403, "message"=>"Forbidden"}}
The same queries work fine if I execute them using Google APIs Explorer console. I think it's related to the service account vs. user account authentication. What did I miss?
The full code is here https://github.com/admitriyev/propellant/blob/master/main.rb
[edited] I added an installed app flow into the same code, and it worked fine (full code is on Gihub above). I still don't know what I missed in the service flow though.
I figured it out, I was missing the email of the actual domain user on behalf of whom it should be authorized. I also switched to use Google::APIClient::JWTAsserter which is a cleaner
abstraction:
client_asserter = Google::APIClient::JWTAsserter.new(
config['client_email'],
PLUS_LOGIN_SCOPE,
key
)
$client.authorization = client_asserter.authorize(config['user_email'])
My full example is here: https://github.com/admitriyev/propellant/blob/master/main.rb