I'm using a service account to create calendar entries and adding new attendees
for creating new appointments there is no problem
https://www.googleapis.com/calendar/v3/calendars/%7Bin_creator%7D/events
When adding new attendees, I get the error:
"Service accounts cannot invite attendees without Domain-Wide Delegation of Authority".
for adding new invitees I use:
https://www.googleapis.com/calendar/v3/calendars/%7BOwner%7D/events/%7Bmeeting_id%7D
All the information in the body of the call (including the list of attendees)
({Owner} is the real owner the calendar, it's not the service account)
I'm the Google Workspace admin, so I already granted scopes in the Domain-wide Delegation screen to this service account:
https://googleapis.com/auth/calendar,
https://googleapis.com/auth/calendar.events
https://googleapis.com/auth/admin.director`
the owner of the calendar granted "Make Changes Event" permission to the service account
the JWT for request the access token looks like:
{
"iss": "xxxxxx.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "https://oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
I've tried calling the apis using Oracle PLSQL / Apexx using
apex_web_service.make_rest_request(
p_url => t_url,
p_http_method => 'POST',
p_body => t_json_in,
p_parm_name => apex_util.string_to_table(
'conferenceDataVersion:supportsAttachments:maxAttendees:sendNotifications:sendUpdates'
),
p_parm_value => apex_util.string_to_table('1:True:12:False:False')
);
where
t_url : variable cointaining the target endpoint : xxxx googleapis.com / calendar / v3 / calendars / {Owner} / events / {meeting_id} which returns a CLOB containing a JSON t_json_in : variable with a JSON with all the event data
this function returns a CLOB with a JSON
{
"error": {
"errors": [
{
"domain": "calendar",
"reason": "forbiddenForServiceAccounts",
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
],
"code": 403,
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
}
For delegation the JWT for the access token request needs to include the Sub claim. see: service-account
sub The email address of the user for which the application is requesting delegated access.
This is the email address of the owner of the account for which delegation has been configured. The service account it self may have read access but to have write access it needs to be deligated.
{
"iss": "xxxxxx.gserviceaccount.com",
"sub": "owner#yourdomain.com"
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "xxxx oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
Related
When I try to access Admin SDK API I get this error:
XHRGEThttps://admin.googleapis.com/admin/directory/v1/users?customer=some_custumer
[HTTP/3 403 Forbidden 220ms]
Even passing a API_KEY (&key=my_api_key), the same happens.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Insufficient Permission",
"domain": "global",
"reason": "insufficientPermissions"
}
],
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "ccc.hosted.frontend.directory.v1.DirectoryUsers.List",
"service": "admin.googleapis.com"
}
}
]
}
}
Header:
www-authenticate
Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/directory.user https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/apps.directory.user.readonly https://www.googleapis.com/auth/directory.user.readonly https://www.googleapis.com/auth/cloud-platform"
I've configured my app on Google Console. Configured the authentication and scopes like this scopes. I've also configured domain-wide-delegation in Admin Console. I'm expecting to list all Workspace users through this API, but I got this error.
The OAuth works fine.
I am not sure what you are using but here you have my assumptions:
If you are using OAuth, you will need to use a user with enough
privileges to list your users (a super admin account for example)
If you are using a service account, besides allowing wide domain
delegation you need to implement impersonation in your code, that
way you will specify which account the service account will
impersonate to make the API call. So, it is very important to
impersonate an account with enough permissions
If you have any questions please let me know
I am trying to use Nodemailer in express server with Oauth from Office 365 but I am getting Can't create new access token for user and {"code": "EAUTH", "command": "AUTH XOAUTH2" error. It seems like nodemailer is unable to obtain either the access token and refresh token and the user is not being authenticated to send mails.
const transporter = nodemailer.createTransport({
host: "smtp.office365.com",
port: 587,
secure: false,
tls: {
ciphers: "SSLv3"
},
requireTLS: true,
auth: {
type: "OAuth2",
user: process.env.SENDER_EMAIL,
clientId: "CLIENT_ID",
clientSecret: "CLEINT_SECRET",
accessUrl: "https://login.microsoftonline.com/SOMETHING_SECRET_HERE/oauth2/v2.0/authorize"
// pass: process.env.SENDER_PASSWORD
}
});
I am not familiar with OAuth 2.0 with Office 365 to begin with so there could be some configurations error etc. The nodemailer works fine if I use my account credentials though. Can someone please suggest me something to try out or let me know if my config is wrong.
Please note that, accessUrl is an endpoint for requesting new access token.
As you have passed Authorization endpoint, please try changing it to OAuth 2.0 token endpoint (v2).
You can find this endpoint value in the Portal like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App
Alternatively, you can make use of Microsoft Graph API to send the mails like below:
Make sure to have Mail.Send permission consented before using the below query:
POST https://graph.microsoft.com/v1.0/me/sendMail
{
"message": {
"subject": "Regarding leave approval",
"body": {
"contentType": "Text",
"content": "Please approve my leave request."
},
"toRecipients": [
{
"emailAddress": {
"address": "XXXXX"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "XXXXX"
}
}
]
},
"saveToSentItems": "false"
}
Response:
The mail was successfully triggered like below:
For more in detail, please refer the below links:
Send mail - Microsoft Graph v1.0 | Microsoft Docs
Modern Oauth2 authentication for sending mails using Nodemailer nodejs by Sivaprakash-MSFT
When I query GitHub's GraphQL API with the following:
query RetrievePackagesAssociatedWithRepo($repo: String!, $owner: String!) {
repository(name: $repo, owner: $owner) {
packages(packageType: NPM, first: 10) {
edges {
node {
id
name
packageType
}
}
}
}
}
I received an error stating:
{
"errors": [
{
"type": "INSUFFICIENT_SCOPES",
"locations": [
{
"line": 6,
"column": 11
}
],
"message": "Your token has not been granted the required scopes to execute this query. The 'id' field requires one of the following scopes: ['read:packages'], but your token has only been granted the: ['read:gpg_key', 'read:org', 'read:public_key', 'read:repo_hook', 'repo', 'user'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens."
},
I followed the link https://github.com/settings/tokens and added the necessary permissions.
I tried to Authorizing a personal access token for use with SAML single sign-on but, the SSO button to enable is not present.
development settings token
Documentations I Followed: Creating Personal Token! | Authorizing Personal Token!
After trying out theses methods, the same error message persists "Your token has not been granted the required scopes".
My goal, through Github's API, is to retrieve packages associated with its repository.
Is there something I'm missing.
I'm trying to call api Purchases.products: get to verify your purchase
it yields such a result
{
"error": {
"errors": [
{
"domain": "androidpublisher",
"reason": "permissionDenied",
"message": "The current user has insufficient permissions to perform the requested operation."
}
],
"code": 401,
"message": "The current user has insufficient permissions to perform the requested operation."
}
}
the project is tied properly
A new service account with owner rights has been created
This service account has been granted rights in the google play console
Documentation here says what you can do
the received token does not work only for purchase checks for any other api it returns the result(Inappproducts: list is work)
The verification url is built right because if you get a token client to server then this api works too - but I need a server to server auth
scopes = ['https://www.googleapis.com/auth/androidpublisher']
authorization = Google::Auth.get_application_default(scopes)
uri = "https://www.googleapis.com/androidpublisher/v3/applications/#{ENV['ANDROID_PACKAGE_NAME']}/purchases/products/#{purchasable.purchase_uuid}/tokens/#{purchase_token}?access_token=#{authorization.fetch_access_token!['access_token']}"
response = RestClient::Request.execute method: :get,
url: uri,
headers: {'Content-Type':'application/json'}
and
file = File.read('config/google_key.json')
values = JSON.parse(file)
oauth = Signet::OAuth2::Client.new(
issuer: values[:client_email]",
audience: "https://www.googleapis.com/oauth2/v4/token",
scope: "https://www.googleapis.com/auth/androidpublisher",
client_id: values[:client_id],
signing_key: OpenSSL::PKey::RSA.new(values[:private_key]),
)
jwt = oauth.to_jwt
url = "https://www.googleapis.com/oauth2/v4/token"
begin
response = RestClient::Request.execute method: :post,
url: url,
headers: {'Content-Type': 'application/json'},
payload: {
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
assertion: jwt
}
result = JSON.parse response.body
rescue => e
puts e.response.to_str
result = JSON.parse(e.response.to_s)
end
I expect this result
update 1
add tokeninfo
I love google.
after 7 days with my first service account it worked - but 7 days !!!! 7 days !!!! it's just horror
Guys in Google you need 7 days to give access to api!! - this is ridiculous
Okay, you need to do this to get access
create service account in google cloud (admin rights)
create google play console and link project google cloud
add email service account in google play console
after 1 week it will work
When I try the RingCentral Get Forwarding Number API:
GET /restapi/v1.0/account/{accountId}/extension/{extensionId}/forwarding-number
I get this error:
{
"errorCode" : "CMN-408",
"message" : "In order to call this API endpoint, user needs to have [ReadUserForwardingFlipNumbers] permission for requested resource.",
"errors" : [ {
"errorCode" : "CMN-408",
"message" : "In order to call this API endpoint, user needs to have [ReadUserForwardingFlipNumbers] permission for requested resource.",
"permissionName" : "ReadUserForwardingFlipNumbers"
} ],
"permissionName" : "ReadUserForwardingFlipNumbers"
}
I don't see this permission in the Online Account Portal (https://service.ringcentral.com), even under the Super Admin role. How can I resolve this and access this API?
ReadUserForwardingFlipNumbers is a user permission that is configured in the Online Account Portal. The user's assigned role needs to have the following corresponding permission in the Online Account Portal:
User Settings > Messages & Notifications
You can see this in the Online Account Portal under:
Users > Roles > {Role Name}
For example:
You can verify if your user has this permission by calling the following endpoint:
GET /restapi/v1.0/account/{accountId}/extension/{extensionId}/authz-profile
This will return a JSON object with a permissions property with an array of permissions. This permission looks like the following:
{
"permission": {
"uri": "https://platform.devtest.ringcentral.com/restapi/v1.0/dictionary/permission/ReadUserForwardingFlipNumbers",
"id": "ReadUserForwardingFlipNumbers",
"assignable": false,
"readOnly": false,
"siteCompatible": "Independent"
},
"effectiveRole": {
"uri": "https://platform.devtest.ringcentral.com/restapi/v1.0/dictionary/user-role/3",
"id": "3"
},
"scopes": [
"Self"
]
},