TL;DR version
Is there any way to access ExtendedProperties on a resources that does not belong to the logged in user from an Outlook add-in?
Detailed version
We are setting ExtendedProperties on a CalendarFolder associated with a resource. We tried to access these ExtendedProperties from our Outlook add-in, however, since the CalendarFolder does not belong to the logged in user, the Outlook JavaScript API returned with an error when we used: mailbox.makeEwsRequestAsync()
Office extension have no permissions to access any other mailboxes
then the mailbox provided in the user context
The logged in user does have owner permissions on the CalendarFolder for the resource (Set-MailboxFolderPermission -Identity RoomResource#domain.com:\calendar -User admin -AccessRights Owner)
We are able to access the ExtendedProperties as expected when we create a simple console app and use the .NET Managed API, so we figured we could call the same EWS endpoint (/EWS/Exchange.asmx) from our add-in.
We first get an access token (using mailbox.getUserIdentityTokenAsync) and pass that with our call to the EWS endpoint directly from our add-in.
When we make an AJAX call to that endpoint, we are getting a 401 Unauthorized response from Exchange with the header:
x-ms-diagnostics:2000001;reason="The callback token is missing one or more expected claim types.";error_category="invalid_token"
Question
Is it possible to call the /EWS/Exchange.asmx endpoint on Exchange (on-prem and online) using oAuth? If so, how can we get a valid token that will validate. Can we ask for additional claims when requesting a token?
Related
i write some code to connect with google api Doubleclick bid manager
I download client_secrets.json at https://console.cloud.google.com/apis/credentials? then run some code like
require 'google/apis/doubleclickbidmanager_v1'
require 'google/api_client/client_secrets'
service = Google::Apis::DoubleclickbidmanagerV1::DoubleClickBidManagerService.new
service.authorization = Google::Auth.get_application_default(['https://www.googleapis.com/auth/doubleclickbidmanager'])
service.download_line_items
it response some errors like:
Sending HTTP post https://www.googleapis.com/doubleclickbidmanager/v1/lineitems/downloadlineitems?
403
#https://www.googleapis.com/doubleclickbidmanager/v1/lineitems/downloadlineitems == 403 (354 bytes) 1091ms>
Caught error unauthorizedApiAccess: You are not authorized to use DoubleClick Bid Manager API. Please contact dbm-support#google.com.
Error - #
Google::Apis::ClientError: unauthorizedApiAccess: You are not authorized to use DoubleClick Bid Manager API. Please contact dbm-support#google.com.
And when i run api at https://developers.google.com/apis-explorer, it return "You are not authorized to use DoubleClick Bid Manager API. Please contact dbm-support#google.com." too
Some one know this errors, plz check and help me
When your application requests private data, the request must be authorized by an authenticated user who has access to that data. Every request your application sends to the Google DoubleClick Bid Manager API must include an authorization token. The token also identifies your application to Google.
This is what the error means by
"You are not authorized to use DoubleClick Bid Manager API.
Make sure that you include the following scope when requesting authentication of the user.
https://www.googleapis.com/auth/doubleclickbidmanager
More info can be found here and there is documentation here on how to get it working with ruby you will need to alter the example there for your api as this is for calendar.
Note about service accounts.
Service accounts must be pre-authorized in order to work. In the case of Google drive you can take the service account email address and share a folder on your google drive with it. Basically you share data with the service account granting it access to the data. Not all google apis support service account authentication. Youtube api, Doubleclick, and blogger I think addsence or adWords as well, are a few that do not support service account authentication as there is no way to share the data with a user without them responding to the share request.
For Eg: Using google drive api i made an API call to get permission from user and generate access token and got user details using that token. In that case before getting permission from user if i logged in into multiple google accounts in my browser and i tried through particular mail Id through my app. I need to display only that mail id for permission , Not to display all the logged in mail ids. How to filter for particular mail id through api call.
My sample api call:
https://accounts.google.com/o/oauth2/auth?client_id=CLIENT_ID +&redirect_uri=REDIRECT_URI &scope=email+profile+https://www.googleapis.com/auth/drive&response_type=code&access_type=offline
I just removed prompt=select_account keyword from this api call. but it still display all accounts. How to filter for particular mail id?
You add the login_hint parameter with an account value to the authentication request.
I am trying to be able to set up a cron job to read contents from a certain email in my gmail inbox daily. I lookeed up gmail api documentation and noticed that the only way to authenticate my requests to access email data is via OAuth 2.0 which requires user authorization. Is there a way to authorize my app to access emails from a particular email id without the need for the user to manually take any actions.
I found this: https://developers.google.com/identity/sign-in/web/server-side-flow. I was wondering if there is any way to follow this workflow without having to build the UI?
Technically speaking you can use Oauth2 you just have to have the user authentication your application once. You will get a refresh token then you can use the refresh token to get a new access token from cron. Unless this is a Google domain account you cant use service accounts. There is no way to pre authorize a service account to access a normal user gmail.
Alternative: have you considered going directly though the mail server? Skip the rest api. https://developers.google.com/gmail/oauth_overview Note: That page also speaks of XOauth2 I haven't tried it yet you can still access SMTP and IMAP using username and password.
I am using Gmail API and I am trying to fetch emails from all users under company. But when I run code such as:
function runAPI(auth) {
var gmail = google.gmail('v1');
gmail.users.threads.list({auth: auth, userId: '108800016305523828361'},'',function(err, response){
if (err) {
console.log("The API returned an error: " + err);
return;
}
var threads = response.threads;
console.log(threads);
})
}
I get error:
The API returned an error: Error: Delegation denied for xxxx#xxxxx.com
In admin console I did this:
As client name I used id from the client_secret.json file. And for scope, I gave it all permissions.
How do I properly setup domain wide delegation for Gmail API ?
The setup is fine, however in your code you're doing it wrong.
This code:
gmail.users.threads.list({auth: auth, userId: '108800016305523828361'},'',function(err, response)
specifically.
userId should be "me" however before you can call the Gmail API you need to use the service account "JWT flow" in your code to retrieve an oauth2 credential for the Gmail user you want to access as described in the Preparing to make an authorized API call service account domain-wide delegation doc.
Specifically this uses your service account's private key to request to get a credential for the user you desire (set the user's email in your domain that you want to access in the setServiceAccountUser(user#example.com) function in the request). Then you can use that GoogleCredential in your call to the Gmail API.
For the question How do I properly setup domain wide delegation for Gmail API?
I think this documentation from Google can help you with this, just follow this steps to delegate domain-wide authority.
Go to your Google Apps domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
In your case, use this scope for Gmail API.
Click Authorize.
For more information about the error 403 or Delegation denied for <user email>,check this related SO question:
Gmail API returns 403 error code and “Delegation denied for user email"
GMail API Super Admin access other users accounts via API?
I know if a super administrator grants access to an application, that application (using OAuth) can access any user's (with that domain) calendar.
Does the same apply to a user's contacts (not shared contacts)? From my testing, I keep getting 403 Forbidden, meaning it's not possible.
Do you have the scope defined correctly for using the contact API?
https://developers.google.com/google-apps/contacts/v3/#authorizing_requests_to_the_api_name_service