In console.developers.google.com, I am trying to add permissions to a new user, with this email: xxxx#gmail.com, while my current console.developers.google.com is a google app account, let's call it yyyy#gapp.net
This is the error I got while granting xxxx#gmail.com admin/can edit/can read:
The non-domain account: xxxx#gmail.com can not be added to a domain project.
What should I do? Any setting I can tweak to solve this?
I am doing this because I want to transfer my app from yyyy#gapp.net to xxxx#gmail.com
It's not possible to share an app outside the domain in this way. You'll need to create a new project in the gmail.com account and switch to using it.
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
I'm working on migrating my EWS app from basic auth to OAuth (app-only authentication).
I created my app in Azure AD and everything works fine.
My only issue is that i don't want my app to have access to e-mails, contacts, etc... I only want to read calendar.
I tried removing "full_access_as_app" and adding "Calendar.Read" permission but i get "401 Unauthorized".
Do you have any solution ?
(image) not working
Thanks
You can't do that with EWS it only supports Full mailbox access via App or Delegate permissions. You can scope the permission so it only has access to certain mailbox using Application polices https://techcommunity.microsoft.com/t5/exchange-team-blog/application-access-policy-support-in-ews/ba-p/2110361. If you want to limit access to just the calendar only then you need to migrate your app to using the Microsoft Graph that supports more constrained authentication.
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I have two applications which access my users' calendars via a service account. Until today everything was working fine and out of a sudden one of the app cannot get a grant token. I read that this may be due to the same service account being used simultaneously (which was the case for a year but never mind) so I decided to
create a second service account
and authorize it to access the calendars
I created the service account in the Google Developers Console -> API Manager -> Credentials.
The console now looks like this:
Service account client 1 is the original service account which was working for both apps and now works for one of them only. The ga... account is the newly created one.
In order to get the ClientID I went (on the same page) to "Manage service accounts" and I get this:
The newly created account does not offer the possibility to check its ClientID. Why?
The ClientID is also available in the JSON file downloaded upon creation. I extracted it from there and tried to authorize the access in my GApps Security console:
As you can see it was refused.
What part did I miss when creating this second account?
Found it:
and after checking the checkbox below both accounts look the same, the ClientID is available and it can be authorized in the GApps console.
I am working on an app in ruby using:koala:omniauth
When I click share to wall from the application it allows me to share and
changes my permission accordingly. When I use an account that is not setup as a developer it sends 200 error "permissions not provided." but does not ask for "permissions" like it did with the account connected to facebook developer.
Is there a setting somewhere on Facebook developer that controls this?
I would like all users to be re-asked the permission and not just developers of the app.
Yes, you need to ask Facebook to review the app for special permissions..