When I try to access Admin SDK API I get this error:
XHRGEThttps://admin.googleapis.com/admin/directory/v1/users?customer=some_custumer
[HTTP/3 403 Forbidden 220ms]
Even passing a API_KEY (&key=my_api_key), the same happens.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Insufficient Permission",
"domain": "global",
"reason": "insufficientPermissions"
}
],
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "ccc.hosted.frontend.directory.v1.DirectoryUsers.List",
"service": "admin.googleapis.com"
}
}
]
}
}
Header:
www-authenticate
Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/directory.user https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/apps.directory.user.readonly https://www.googleapis.com/auth/directory.user.readonly https://www.googleapis.com/auth/cloud-platform"
I've configured my app on Google Console. Configured the authentication and scopes like this scopes. I've also configured domain-wide-delegation in Admin Console. I'm expecting to list all Workspace users through this API, but I got this error.
The OAuth works fine.
I am not sure what you are using but here you have my assumptions:
If you are using OAuth, you will need to use a user with enough
privileges to list your users (a super admin account for example)
If you are using a service account, besides allowing wide domain
delegation you need to implement impersonation in your code, that
way you will specify which account the service account will
impersonate to make the API call. So, it is very important to
impersonate an account with enough permissions
If you have any questions please let me know
Related
I have a project owner permission on bigquery. And I able to create/delete/insert records into bigqquery table from UI.
However, when I am trying from Python, I am getting following error.
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.bigquery.v2.JobService.ListJobs",
"service": "bigquery.googleapis.com"
}
}
]
}
}
Following is my code
def insert_data():
client = bigquery.Client()
job_config = bigquery.LoadJobConfig(
write_disposition=bigquery.WriteDisposition.WRITE_TRUNCATE,
source_format=bigquery.SourceFormat.CSV,
skip_leading_rows=1,
)
uri = " gs://xxx/csv_files/csv_test.csv"
table_id="xxx.Gaurang.csv_data"
load_job = client.load_table_from_uri(
uri, table_id, job_config=job_config
) # Make an API request.
load_job.result() # Waits for the job to complete.
You must authenticate when you use Google's libraries; Cloud Console and gcloud authentication does not extend transparently to code using the libraries.
Google's documentation is comprehensive and an example is here:
https://cloud.google.com/bigquery/docs/reference/libraries
Generally code run as a Service Account; the Service Account provides an identity and -- with Google Cloud services -- IAM provides roles/permissions based access, see BigQuery: access control with IAM.
Google provides a mechanism called Application Default Credentials that facilitates running code as a Service Account.
I am using v4 and google/apiclient:2.9.1 (php).
I successfully access the spreadsheet through oauth2. It is meaning I can read and edit data. But sometimes I get 403 http code with a body
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"errors": [
{
"message": "The caller does not have permission",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
for no apparent reason. I don't change the permissions of spreadsheet, don't revoke permissions, etc. Re-access request is successful and the data becomes available again through API.
Why it happens? How do I get rid of the need to re-request access permissions?
This is repeated on different accounts and spreadsheets.
Goal:
I have a simple web application where I submit my Blood Pressure and Heart Rate measurements.
Now I'd like to submit these measurements to my Google Fit Account.
I tried Googles tutorial: https://developers.google.com/fit/scenarios/write-bp-data
OAuth2 Setup
I created new credentials in one of my existing Cloud Console Projects. And then requested a new authorization code using the following scopes (The project is in Testing State and my account is registered as tester):
https://www.googleapis.com/auth/fitness.blood_pressure.write
https://www.googleapis.com/auth/fitness.heart_rate.write
Requesting the token returns the following response:
{
"access_token": "ya29.XXXXXXXXXXXXXXXX",
"expires_in": 3599,
"refresh_token": "1//XXXXXXXXXXXXXXXX",
"scope": "https://www.googleapis.com/auth/fitness.heart_rate.write https://www.googleapis.com/auth/fitness.blood_pressure.write",
"token_type": "Bearer"
}
As you can see, both write scopes are granted.
Additionally, if I check the permissions in my Google Account, both scopes are set.
Create dataSource
Now I create two dataSources (one for com.google.heart_rate.bpm and one for com.google.blood_pressure).
creating the Heart Rate dataSource works as expected, but creating a dataSource for Blood Pressure returns a 403 PERMISSION_DENIED Error:
Request (POST https://www.googleapis.com/fitness/v1/users/me/dataSources)
{
"dataStreamName": "BPA-BloodPressure",
"type": "raw",
"application": {
"detailsUrl": "https://aaa.bbb.ccc",
"name": "Blood Pressure App",
"version": "1"
},
"dataType": {
"name": "com.google.blood_pressure"
}
}
Response
{
"error": {
"code": 403,
"message": "Scope not included to modify data of type com.google.blood_pressure. Possible scopes: https://www.googleapis.com/auth/fitness.blood_pressure.write",
"errors": [
{
"message": "Scope not included to modify data of type com.google.blood_pressure. Possible scopes: https://www.googleapis.com/auth/fitness.blood_pressure.write",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
The Google Fit REST API tells me that the Scope fitness.blood_pressure.write is missing, but as you can see the Scope is given for the used access token.
Notes
I am working with Postman to test all requests. Later a Java/Groovy or PHP backend will used.
I also tried with read and write scopes for both data types.
I can see my app with both write scopes in Google Fit under "Connected apps".
Change dataType name to "fitness.blood_pressure" instead of "com.google.blood_pressure"
The body will be like this.
{
"dataStreamName": "BPA-BloodPressure",
"type": "raw",
"application": {
"detailsUrl": "https://aaa.bbb.ccc",
"name": "Blood Pressure App",
"version": "1"
},
"dataType": {
"name": "fitness.blood_pressure"
}
}
I'm trying to use your AMADEUS API but i have trouble to display hotels offers on production environment ..
Note that everything is ok on sandbox.
On https://api.amadeus.com endpoint I do :
/v1/security/oauth2/token to get an access token
then add the access token as bearer authentication
Then launch the request /v2/shopping/hotel-offers/?cityCode=NCE
((( Same as the sandbox )))
Here the response :
"errors": [
{
"status": 401,
"code": 701,
"title": "Wrong authentication credentials.",
"source": {
"pointer": "uri"
}
}
]
So I test the token on /v1/security/oauth2/token/{{XXXXXXXX}}
The token is not expired and approuved.
Anyone to help?
Thank you so much (sorry for english mistakes)
Akim
We are trying to update details information for serveral Venues in behalf of our clients/users by using Foursquare API.
It works pretty well for most of the clients, and we are using their own personal oauth credentials most of the time.
BTW, we have a lot of problems with some clients/accounts, because we are getting this error when trying to update the venues:
{
"meta": {
"code": 403,
"errorType": "not_authorized",
"errorDetail": "User not authorized to edit venue",
"requestId": "59bba14e351e3d0e31fcf9f1"
},
"notifications": [
{
"type": "notificationTray",
"item": {
"unreadCount": 0
}
}
],
"response": {}
We’ve checked the API limits and everything it’s correct. We’ve also checked the account Oauth token several times and it’s correct. Even we are using the 'venues/managed’ endpoint to ensure that the given Oauth credential can manage the given Venue and everything looks fine.
Any idea about what's happening?