i am a google apps account user. I get this error when i try to access Google Plus Domains API. "Access to the Google+ Domains API is not allowed as the user has consented to incompatible scopes". The scopes that i requested for are: "https://www.googleapis.com/auth/plus.circles.read,https://www.googleapis.com/auth/plus.circles.write,https://www.googleapis.com/auth/plus.media.upload,https://www.googleapis.com/auth/plus.stream.read,https://www.googleapis.com/auth/plus.stream.write,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly". I have been trying in vain for a long time to solve this. Can someone throw light on this?
Is it possible the user has previously consented to an app in the same project with scope https://www.googleapis.com/auth/plus.login? That scope is incompatible with the domains API, which may be causing the issue.
If this is your own user you are testing with, the easiest way might be to revoke all access to the app from your user settings, (https://security.google.com/settings/security/permissions) and seeing if you get the error then.
Related
I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?
I am using Google's login API for a project that needs to be internal to my organization. When I tested to see what happens if I try to login with an account that is not part of that organization, this error showed up:
Error message image on https://i.stack.imgur.com/bnXNw.png
This error shows the client id provided by my API panel on my developer account.
Is showing that information safe? If not, what could I do to hide it?
Thank you in advance!
The client identifier [1] and everything else on the error page is not considered a secret. The error message has two uses: to lock your app down for internal usage and to allow users to use that information to escalate to you, the developer, or their admin that they need access to a particular app if they have a legitimate need for it. For the latter, it is important for users to be able to identify apps, typically using the client ID.
[1] https://www.rfc-editor.org/rfc/rfc6749#section-2.2
We have an application hosted in GCP which uses GSuite APIs to sync users from GSuite to our application and visa-versa using Service Account. It used to work well until recently some of our customers started facing issues.
We started getting
401 unauthorized. "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There as been no change in our application and neither in the list of permissions granted. Following are the list of api access granted :-
https://apps-apis.google.com/a/feeds/domain,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.user,**
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.metadata,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/drive.apps.readonly,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/drive.scripts
The affected GSuite domains were working perfectly until yesterday. Also there are some domains which still work without any problem.
Can somebody please suggest what could the problem be. Is there any change in the APIs recently? Any help will be much appreciated.
"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There are several ways to authenticate to Google.
web based applications
native applications
mobile applications
and service accounts
The clients you create for these types is different as is the code to use them. The message you are seeing above means that the code you are using does not match the type of client you have created.
Make sure your code is designed for use with service accounts and make sure that the credentials file you have downloaded from google developer console is in fact credentials for a service accounts.
Why it worked previously and suddenly stopped i cant tell you this is an error you will always get if your code does not match your credential type.
The last option would be to double check that all of those apis are enabled in the Google developer console for your service account project.
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I'm using the Google's PHP API Client, release 1.1.6.
We have a company Google account which controls our many Google Analytics account as well as our Google Developer apps.
I'm working on an app accessing our Google Analytics, using a Service Account set-up. I'm using the same code provided here:
https://developers.google.com/api-client-library/php/auth/service-accounts#delegatingauthority
$credentials = new Google_Auth_AssertionCredentials(
$client_email,
$scopes,
$private_key,
'notasecret',
'http://oauth.net/grant_type/jwt/1.0/bearer',
$user_to_impersonate,
);
In this case $client_email is the App Service Account client (random-chars#developer.gserviceaccount.com) and $user_to_impersonate is our company's Google Account.
As of a couple days ago this was all working correctly, and I could access all our Google Analytics accounts through the API after the above authentication. As of yesterday, I'm getting this error:
Error refreshing the OAuth2 token, message: '{
"error" : "unauthorized_client",
"error_description" : "Unauthorized client or scope in request."
}'
With the $user_to_impersonate parameter removed the authenticated works without error. However, I've been using the $user_to_impersonate as we have several hundred GA accounts and the Service Account client is not a permitted user on them (and would have a limit of 200 accounts anyway).
I couldn't find any recent updates to the way Google Dev's authentication works, but maybe I'm missing something.
Any ideas?
UPDATE: Apparently this was a temporary error with Google's overall API, and is now fixed:
https://github.com/google/google-api-php-client/issues/891
UPDATE 2: Wasn't a temporary issues after all. The solution, if others need, is listed here. Basically giving your app perpetual access to the given account/scope.
https://github.com/google/google-api-php-client/issues/801#issuecomment-171417538
Google probably changed the handling of service accounts and this doesn't work anymore. It's not related to specific Google API client (PHP) nor specific API (Analytics), but it seems to me as a general change which affects everything.