We're having an issue in generating access token using OAuth2 Service Account for Google Apps marketplace users. The token generated here would be used in accessing Google APIs(Contacts, Calendar, Mail, Admin SDK APIs) and thus all the Google Integrations within our Services are failing. This has started failing abruptly from March 9th 8AM PST. Can you please consider this as high priority and let us know the reason for the issue or if we have missed something here. We are getting API response as
{ "error": "invalid_request" }
Please find the below sample request with all the headers and params for 2 sample requests for "https://www.googleapis.com/oauth2/v4/token"(as in documentation) and "https://accounts.google.com/o/oauth2/token" endpoints. Both result in a error message with responses { "error": "internal_failure", "error_description": "Invalid Value"} and { "error": "invalid_request" } respectively.
P.S: The service email address,private key files used for generating the below signature in the sample requests works if we use respective Google Client libraries. But we are making use of Google's REST APIs. We've created a sample application in Google APIs console for testing with new service account details and this results in the same exception.
URL:
https://www.googleapis.com/oauth2/v4/token
Headers:
Content-Type:application/x-www-form-urlencoded
BODY:
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi
OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t
LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4
cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg
LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF
SyGU8StSg9pDujERzOo=
Response:
code:400
{
"error": "internal_failure",
"error_description": "Invalid Value"
}
URL:
https://accounts.google.com/o/oauth2/token
Headers:
Content-Type:application/x-www-form-urlencoded
BODY:
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi
OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t
LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4
cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg
LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF
SyGU8StSg9pDujERzOo=
Response:
code:400
{
"error": "invalid_request"
}
EDIT:Sample request as in the documentation. This code was working for us for the past 2 years and suddenly it stopped working yesterday.
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.ixOUGehweEVX_UKXv5BbbwVEdcz6AYS-6uQV6fGorGKrHf3LIJnyREw9evE-gs2bmMaQI5_UbabvI4k-mQE4kBqtmSpTzxYBL1TCd7Kv5nTZoUC1CmwmWCFqT9RE6D7XSgPUh_jF1qskLa2w0rxMSjwruNKbysgRNctZPln7cqQ
It worked after changing the sun.misc.BASE64Encoder encoding part in my code for generating jwt token.
byte[] encode = BASE64Encoder.encode(data).replaceAll("\n", "").getBytes();
(or)
Change your BASE64Encoder encoding part while generating jwt token from sun.misc.BASE64Encoder to org.apache.commons.codec.binary.Base64 as
Base64 encoder = new Base64();
byte[] encode = encoder.encodeBase64(data);
Add comments if you anyone need any clarifications.
This solution was provided by Google.
Related
I am using google business API and trying to get location list.
I am going trough their documentation and using project from the link below as basis
https://developers.google.com/my-business/content/implement-oauth
Using that project I am able to successfully retrieve accounts list.
The problem occures when I try to retrieve locations list using accountID. Here is a link for their documentation
https://developers.google.com/my-business/content/manage-locations
Acording to documentation, to get location list for specific account, I should use following request
GET
https://mybusinessbusinessinformation.googleapis.com/v1/{accountId}/locations
Authorization: Bearer <access_token>
This is the code snippet, that I added to their sample project
function retrieveGoogleMyBusinessLocations(accessToken) {
$.ajax({
type: 'GET',
url: 'https://mybusinessbusinessinformation.googleapis.com/v1/{accID}/locations',
headers: {
'Authorization' : 'Bearer ' + accessToken
},
success: function(returnedData) {
var e = document.createElement("pre")
e.innerHTML = JSON.stringify(returnedData, undefined, 2);
document.body.appendChild(e);
}
});
}
When I do this request, it gives "CORS error".
The error in the console is following
Access to XMLHttpRequest at 'https://mybusinessbusinessinformation.googleapis.com/v1/xxx/locations' from origin 'http://localhost:8001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET https://mybusinessbusinessinformation.googleapis.com/v1/xxx/locations net::ERR_FAILED
From the error message it seems that server does no accept requests from localhost:8001, but if I do request to different endpoint it will return result.
For example if I change utl from
https://mybusinessbusinessinformation.googleapis.com/v1/{accID}/locations
to
https://mybusinessbusinessinformation.googleapis.com/v1/accounts/{accID}/locations?readMask=categories
With the second url it will return successfull result.
I am confused why it is allowing requests to one endpoint and blocks requests to other endpoint.
Can anyone help with this problem?
Have you tried making direct API requests via the Google Developers OAuth 2.0 Playground?
I tried to reproduce your error but got the expected 404 Not Found response for the unsupported endpoint pattern.
I've got project, where I have to login through google sign in. I have created google project. Set up client/secret keys. I got to the point where I'm making post request to my web app server and sending there the accessToken:
OAuth2ConnectionFactory<Google> connectionFactory = (OAuth2ConnectionFactory<Google>) connectionFactoryLocator().getConnectionFactory(Google.class);
AccessGrant accessGrant = new AccessGrant(accessToken);
Connection<Google> connection = connectionFactory.createConnection(accessGrant);
The request is:
GET https://www.googleapis.com/plus/v1/people/me
Accept: application/json, application/*+json
Authorization: Bearer etc.
Here I got exception: 403 Forbidden. I had to manually track what the actual request is done and made rest request manually to replicate the issue with given headers.
Here is the result I'm getting:
"code": 403, "message": "Legacy People API has not been used in
project ... before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/legacypeople.googleapis.com/overview?project=...
then retry. If you enabled this API recently, wait a few minutes for
the action to propagate to our systems and retry."
First of all the link fails to load. I didn't find any "Legacy People API". Only new People API.
I wonder if there is any solution to this problem? I have enabled People API and waited for long enough but the same error remains.
EDIT 1:
I think the project spring-social is dead. Will rewrite login logic and kick spring-social out of it..
ME TOO . this my problem. I'm waiting 6 hours
"code": 403, "message": "Legacy People API has not been used in project
Try using the Google Identity Platform OAuth API instead of the Legacy People API.
Trying to build an Angular 6 application to display all photos from a particular Google Photos album. Before implementing the Angular portion, I wanted to see if I could get the data from a cURL command, using the API key I created and gave access to the Photos API.
cURL:
curl -X GET \
'https://photoslibrary.googleapis.com/v1/mediaItems?pageSize=1&key=[API KEY]' \
-H 'Accept: application/json' \
This is based on the samples from Google's documentation here: https://developers.google.com/photos/library/reference/rest/v1/mediaItems/list
However, adding my valid API key results in the following error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Is there additional data required besides the API key to get this working? Is it even possible to use an API key in this manner, or does it require using OAuth 2.0 and all the additional hoops that come with it?
You need to obtain an OAuth AccessToken to add as an HTTP Header in your request.
Here's a breakdown of the process I've used that has worked, with the caveat that it periodically gets 401 errors from the mediaItems requests. It seems that Google is throttling the requests and denies a few if they're coming too fast.
We are using our own logging solution because stackdriver is su...bpar. I want to pull the metrics on how many unacknowledged messages there are in the pubsub. Started to read the docs on that and they are all over the place.
Found this page:
https://cloud.google.com/monitoring/api/metrics
Despite being under the api it does not describe any api calls, but does contain the description of the metric I want to extract.
Now I am thinking I need to use the monitoring api to extract what I need somehow:
https://cloud.google.com/monitoring/api/ref_v3/rest/
So I use the api explorer to try a couple of methods:
https://developers.google.com/apis-explorer/#search/monitoring/monitoring/v3/monitoring.projects.groups.list
I query and gives me an available url:
GET https://monitoring.googleapis.com/v3/projects/myprojectname/groups?key={YOUR_API_KEY}
I go to my project's console (api & credentials page) and generate an api key without restrictions and paste it in trying to curl.
curl https://monitoring.googleapis.com/v3/projects/myproject/groups?key=myrandomkeylkjlkj
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Why is this happening? How can I get the metrics? I went to the url provided but it explains oauth token creation and has nothing regarding the api keys. I just need to curl things to make sure I am going the right way.
Why does this have to be so hard? Killed several hours of my life trying to get this.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.access_token)')" https://monitoring.googleapis.com/v3/projects/myproject/groups
I am using the google-api-ruby-client v0.7.1, ruby 2.1.
When I upload Custom Data Sources through Google Analytics API v3 with Google Analytics API v3 > analytics.management.dailyUploads.upload :
Request
POST https: //www.googleapis.com/analytics/v3/management/accounts/**********************/webproperties/**********************/customDataSources/**********************/dailyUploads/2014-04-06/uploads?appendNumber=1&type=cost&key={YOUR_API_KEY}
Authorization: Bearer **************************
X-JavaScript-User-Agent: Google APIs Explorer
Response
400 Bad Request
{
"error": {
"errors": [{"domain": "global",
"reason": "badRequest",
"message": "Upload request url should start with https://www.googleapis.com/upload/analytics/..."}],
"code": 400,
"message": "Upload request url should start with https://www.googleapis.com/upload/analytics/..."
}
}
That response I get when call this method of api from gem google-api-ruby-client too.
But the documentation states:
HTTP request
POST https: //www.googleapis.com/upload/analytics/v3/management/accounts...
But in Google APIs Explorer and gem request is https: //www.googleapis.com/analytics/v3... , not https://www.googleapis.com/upload/analytics/v3... .
Anyone encountered this problem and how to fix it?
You need to change
user and code value
In authorize method.
You'll get,
user_ID from client_secret.json
and
run the URL, you get in the console under 'Open the following URL in the browser' for code value