I know if a super administrator grants access to an application, that application (using OAuth) can access any user's (with that domain) calendar.
Does the same apply to a user's contacts (not shared contacts)? From my testing, I keep getting 403 Forbidden, meaning it's not possible.
Do you have the scope defined correctly for using the contact API?
https://developers.google.com/google-apps/contacts/v3/#authorizing_requests_to_the_api_name_service
Related
I'm working on migrating my EWS app from basic auth to OAuth (app-only authentication).
I created my app in Azure AD and everything works fine.
My only issue is that i don't want my app to have access to e-mails, contacts, etc... I only want to read calendar.
I tried removing "full_access_as_app" and adding "Calendar.Read" permission but i get "401 Unauthorized".
Do you have any solution ?
(image) not working
Thanks
You can't do that with EWS it only supports Full mailbox access via App or Delegate permissions. You can scope the permission so it only has access to certain mailbox using Application polices https://techcommunity.microsoft.com/t5/exchange-team-blog/application-access-policy-support-in-ews/ba-p/2110361. If you want to limit access to just the calendar only then you need to migrate your app to using the Microsoft Graph that supports more constrained authentication.
We are integrating Google Calendar with our room booking system. Users in GSuite domain should login on our reservation screen and book a room. So far I made use of an service account with domain wide delegation to impersonate the users (the setSubject() method, passing the e-mail address of the impersonated user). Everything works, although this way we cannot verify if the user we want to impersonate is logged in successfully or not, the event will be just created with him as the organizer, because setSubject() only requires the email to work properly.
In IBM Domino, when using an Java XPage I was able to compare passwords of the user, not in plain text but there was a function which compared plain text with user's hashed password and returned true if they were equal.
As I see Google doesn't have such a thing if I'm right. How could I check if the user can successfully log in programmatically?
If you want to perform actions in Google Calendar on behalf of a currently logged-in user from a web browser, you might want to use OAuth2 for Web Server Applications instead of using a service account with impersonation.
I am writing a program (written in java) for businesses that manages google drive data of domain users (download/read/...).
I need to authenticate once, using domain admin's credentials, get a token and refresh token, and fetch the data of all domain users.
I succeeded with doing it for the admin user itself, using google's Drive REST API
How can I manage all the domain users with one access token and refresh token?
In Google Apps, the admin does not have the ability to access the user's information directly.
The way to achieve this is through a service account and domain wide delegation.
With this approach, after the admin grants permissions to you app, the app will be able to impersonate users in the domain and perform actions on their behalf. e.g. you can access users Drive information.
I am trying to use google api for getting new emails from gmail account. However reading the docs I found that there are two types to access api the first one without authorization (with json credential) and second one one is Service Account (with p12 certificate and secretkey)
Can not understand what the difference between this access? What exactly should I use?
Thanks
Oauth2 is the first type you are looking at. With Oauth2 a consent screen is displayed to the user who must approve your access. Usage you want to access a users Gmail account, you want to access a users google calendar, you want to access a users google drive.
With a service account access is pre-authorized by taking the service account email address and adding it as a user for data in question. Usage: You want to allow other users to upload files to your google drive account, you would add the service account email address to a folder on google drive then the service account will be able to upload to that folder with out having to prompt any user for permissions.
Use Oauth2 when you want to access a users account, use a service account when you want to access an account controlled by you the developer.
If you want to access a users Gmail account you need to use Oauth2 you cant grant another user access to your Gmail so there is no way to give a service account access to it.
I am creating a windows plugin which would access Yammer data like groups user follows etc, for this i created a client application and accessed yammer rest api using client id and access token i get after user allows my app to access his data in a consent page. I am able to successfully do all this when people of my network are trying to login but this does not work when the plugin is being used by people of other networks, I am able to receive the access token after the user gives his consent in user consent page, but when i try to access his data like fetching groups using rest uRL i get an error saying "{"response":{"stat":"fail","code":17,"message":"Attempt to access a protected resource failed."}}"
please be noted the client app i created is not yet deployed into Global App directory, I really doubt if this is the actual cause of the issue, because i think if this was an issue it should not have recognized the client id itself and would not have shown the external network users the consent page too. may be if i am wrong please correct me
To access users on other networks' data, your app must be globalized (even if you don't want it to be listed in the Global App Directory). Without the user's consent, your app is not allowed to attempt to login on behalf of the user, thus they see the popup for authentication, and then the auth process fails because the app is not globalized.