I use google-api-php-client library to access webmaster tools data. When I wanted to list sitemaps, it appeared Fatal error: Uncaught exception 'Google_Service_Exception'(403) User does not have sufficient permission for site. See also: https://support.google.com/webmasters/answer/2451999.'
I add the service account email address as a restrict user for my site, but error still exists.
Finally I find the answer:
A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it. See here for the different ways you can authorize your requests to the Webmaster API.
For me the problem was not the actual permission, but the way the domain name is passed. Here is my Node.js example, but the same goes for PHP:
import {JWT} from 'google-auth-library';
const client = new JWT(
null,
'service-account.json',
null,
['https://www.googleapis.com/auth/webmasters.readonly'],
);
const res = await client.request({
url: 'https://www.googleapis.com/webmasters/v3/sites/sc-domain:yourdomain.com/searchAnalytics/query',
method: 'POST',
data: {
"startDate": "2020-04-01",
"endDate": "2020-05-01",
"dimensions": ["country", "device"]
}
});
console.log(res.data);
Notice the syntax sc-domain:yourdomain.com. Passing 'yourdomain.com' will result in the error User does not have sufficient permission for site yourdomain.com.
Make sure you added the service-account email as user in search console: https://search.google.com/search-console/users
A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it.
You need to manage the service permissions via Webmaster Admin. Add your service account
whatever#developer.gserviceaccount.com
there.
Related
I'm am using a service account to generate an access token to access certain sheets in my google drive. That access token will be sent to the client-side user and using that users will access my sheets. But different users have access to different sheets and I want them to prevent access to other sheets with the same access token. Currently, the service account has access to all the file used by my app.
For generating access token I use googleapis's google.auth.JWT module. I use Firebase cloud functions as my backend with Node version 10
Here is my code,
try {
const jwtClient = new google.auth.JWT(
key.client_email,
null,
key.private_key,
['https://www.googleapis.com/auth/drive',], // drive scope
);
const accessToken = await jwtClient.authorize();
} catch (error) {
console.log(error)
res.status(500).json(error)
}
Thanks in advance
If the permissions of the service account gives the token full access to every file in the folder these tokens would allow to read other documents too. I think you may workaround this granting a specific user permissions to a set of documents by changing the permissions of the file itself, instead of providing a generic access token. This page of the Drive documentation describes how to change permissions at a file level and provides some Node.js samples.
I would like to fetch all the google private connections of a user signed in from my app.
I've enabled the Google People and the Google Plus API's. I set up the credentials API key, client id & client secret. The url with which I'm trying to fetch the users connections is
https://people.googleapis.com/v1/people/me/connections?fields=connections&key=api_key&access_token=access_token
Also, I'm using the library passport-google-oauth, to get the users access_token. Is there anything that I'm missing in the above URL.
My google auth code is
// send to google to do the authentication
// profile gets us their basic information including their name
// email gets their emails
app.get('/auth/google', passport.authenticate('google', {
scope: ['profile', 'email','https://www.googleapis.com/auth/contacts.readonly', 'https://www.googleapis.com/auth/contacts']
}));
// the callback after google has authenticated the user
app.get('/auth/google/callback',
passport.authenticate('google', {
successRedirect: '/profile',
failureRedirect: '/'
}));
You have not mentioned what error you are getting but by looking at the url you are using I can tell you a few things.
people.connections.list access private user data. So for one you don't need to add Key that is just used for accessing public data. However having both should not result in any error message.
I have tested the request you are sending and it does work however this request requires that you have authenticated with at least one of the connections scopes.
https://www.googleapis.com/auth/contacts Requests that your app be
given read and write access to the contacts in the authenticated
user’s Google Contacts.
https://www.googleapis.com/auth/contacts.readonly Requests that your
app be given read access to the contacts in the authenticated user’s
Google Contacts.
If you have not then you will get a no access error message.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED"
}
}
I've written an online converter and integrated Auth0 to my website. What I'm trying to achieve is to auto-upload the converted file to the Google Drive of a logged in user. I set up Google oauth in Auth0 and everything seemed to work fine.
The problem is, Google's access_token expires after 60min and I don't have a refresh_token. Therefore, the user needs to log in via the Google Login-page again. That is not, what I want, because the user is in fact logged in way longer than just 60min on my site, but Google refuses API-calls (because the Google token expired).
I know I can request a refresh_token by setting access_type=offline but this will add the permission Have offline access. I don't want that, I just want to upload data to the user's Drive, if he clicked the convert button on my page. I don't want to ask the users for permissions I don't need. If I (as a user) would link my Google account on a similar page and the tool asks for offline access I wouldn't approve, to be honest - the permission sounds like the tool creator can do whatever he wants with your account whenever he wants... There are many tools out there that have write access to a user's Drive without asking for offline access and with one single login until the user revokes the permission. How is that done?
Is there a way to make Google API calls without asking for offline access and without forcing the user to approve the app (that is already approved by him) again and again every 60min?
Thanks in advance,
phlo
Is there a way to make Google API calls without asking for offline access and without forcing the user to approve the app (that is already approved by him) again and again every 60min?
Yes there are ways, but it depends on the specifics of your use case. For example, is your code in Java/php/etc running on a server, or is it JavaScript running in the browser?
Running your auth in the browser is probably the simplest solution as the Google library (https://developers.google.com/api-client-library/javascript/features/authentication) does all the work for you.
By asking for offline access you are requesting a refresh token. Google is going to tell the user that you are requesting offline access. You can request something without telling the user what they are authorizing.
No there is no way to request a refresh token without displaying that message. Nor is there a way for you to change the message it's a standard Google thing.
I found the solution!
Prerequirements
Enable Use Auth0 instead of the IdP to do Single Sign On in your client's Dashboard
Create a new Angular-route to handle the silent login callback (e.g. /sso)
Add
$rootScope.$on("$locationChangeStart", function() {
if ($location.path().indexOf("sso") == -1) {
authService.relogin(); //this is your own service
}
});
to your run-function and set the callbackURL in angularAuth0Provider.init() to your new Angular-route (<YOUR_DOMAIN>/sso). Add this URL to your accepted callbacks in the Auth0 dashboard - this won't end in an infinite loop, because the locationChangeStart-event won't call authService.relogin() for this route
Add $window.close(); to the controller of the Angular-route (/sso) to auto-close the popup
Authenticate the user via Auth0 and save the timestamp and the Auth0-access_token somewhere
On reload:
Check, if the Auth0-token is still valid in authService.relogin(). If not, the user has to login again either way. If the token is valid and the Google token is about to expire (check this with the saved timestamp to prevent unnecessary API calls) check for SSO-data and login silently, if present
/* ... */
if (validToken && googleExpired) {
angularAuth0.getSSOData(function (err, data) {
var lastUsedConnection = data.lastUsedConnection;
var connectionName = (_.isUndefined(lastUsedConnection) ? undefined : lastUsedConnection.name);
var isGoogle = (_.isUndefined(connectionName) ? false : connectionName == "google-oauth2");
if (!err && data.sso && isGoogle) {
authManager.authenticate();
localStorage.setItem("last-relogin", new Date().getTime());
angularAuth0.signin({
popup: true,
connection: data.lastUsedConnection.name
});
}
});
}
Now you will find a fresh Google access_token for this user (without asking for offline access)
Resources:
https://auth0.com/docs/quickstart/spa/angularjs/03-session-handling
https://auth0.com/docs/quickstart/spa/angularjs/11-sso
I am trying to use the Google Cloud Resource Manager API to test whether the authenticated user has permissions to a given project. I have read the [Google Cloud Resource Manager API documentation][1] and have tried sending requests, all which fail with the following error:
{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }
The POST request is:
https://cloudresourcemanager.googleapis.com/v1/projects/{projectId}:testIamPermissions
where {projectId} is a defined projectId from the Google Cloud Developer Console. I am aware that I can use the project.list method and determine if the given projectId is present in the list of projects for the user. I want to understand how to use the project.testIamPermissions request and determine which permission the user has on the project. [1]: https://cloud.google.com/resource-manager/reference/rest/v1/projects/testIamPermissions
In order to use the Cloud Resource Manager API methods organizations.testIamPermissions or projects.testIamPermissions, you need to provide the resource you'd like to check in the URL and then the permissions you'd like to check in the body.
So, for example, if I want to test if I, the authenticated user, have access to a particular permission (ex. compute.instances.create) on a particular project (ex. my-project) then, I would POST this:
{
"permissions": [
"compute.instances.create"
]
}
to the URL:
https://cloudresourcemanager.googleapis.com/v1/projects/my-project:testIamPermissions
which would give me the following response:
{
"permissions": [
"compute.instances.create"
]
}
because I do in fact have permissions to create new instances in my-project.
However, if I did not have permission to create new instances, the response would look like:
{
}
Try it here via the API Explorer.
If your goal is to find the test of all permissions that the user has on the project, then you have to provide the full list of all project level permissions in your request body and the response will include the subset of those permissions that the user has.
Hope this helps!
I wrote a PHP application which tries to create an User in my Google Directory. I don't use the Google Libraries. I succeded making requests to the Android Enterprise API. I can enroll and unenroll Enterprise Service Accounts with my MSA. So I assume my Code for the JWT and Requests work.
I created a Service Account and enabled "Domain Wide Delegation" and added the following permission "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group" to my API Client under the "Manage API client access" windows.
My Service Account has the status role "Editor" in the "Permissions for project" windows.
So first my script gets the Bearer token from the Google Server, for that I create a JWT and encrypt it with my private key.
The Token contains the following fields
"iss" => sacname#projectname.iam.gserviceaccount.com
"scope" => "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group"
"aud" => "https://www.googleapis.com/oauth2/v4/token",
"exp" => timestamp+3000,
"iat" => timestamp
When I do that request I get a bearer token, but when I use that token to make the insert request I always get the message "Not Authorized to access this resource/api" with an HTTP 403.
When I add the field "sub" to my JWT and specify the email of the Project admin "admin#mydomain.com" I can't even get the bearer token, then I get a 401 error with the following message "Unauthorized client or scope in request."
After that I tried something "easy", I just wanted to get a list of all users in my directory. But the Google Server just reponds with an "bad request" error. I got the same error with the API Explorer which is on API Page. Maybe the API is broken ? At least the API Explorer should work.
https://developers.google.com/admin-sdk/directory/v1/reference/users/list
Do you have some ideas why I can't create users with my service account ?
(I had to insert some spaces in the scopes and urls because I'm not allowed to post more than two links)
Greetings
Philip
Adding the sub claim is the right thing to do, because you must impersonate a super admin to use Directory API. If you get a "Unauthorized client or scope in request" response, that might be because there's a typo in the service account client ID you used to authorize (or the scopes), or that not enough time has passed (it usually propagates within a few minutes, but could take up to 24 hours).
See JWT error codes for more details on possible errors and causes.
Do you have some ideas why I can't create users with my service account?
Yes. Your service account seems to have no authority to create users. Check your Service Account's role in GDC to check if it's Owner, Editor, Viewer,etc. The scope of what they can do depends on that. Watch this Google video for a live demo.
Also, try to read more on Using OAuth 2.0 for Server to Server Applications.