Google AppScript BigQuery API call authentication - authentication

I've previously developed simple GAS projects that read csv files and inserted them into a BigQuery table and I don't recall using any special authentication since both projects were under my account. However, I'm now getting an error when trying to insert.
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.bigquery.v2.JobService.GetJob",
"service": "bigquery.googleapis.com"
}
}
]
}
}
One difference is that I am now using a personal google account, whereas before I was using a work account, though I haven't seen anything that mentions this distinction for calling BigQuery from GAS.
I've found some blogs that seem to address how to implement an oauth2 auth, but I'm wondering if something has changed in the past ~8months that now necessitates a more explicit auth for BigQuery calls? This doco doesn't mention anything about authenticating - https://developers.google.com/apps-script/advanced/bigquery.
edit:
This was for a csv load/insert job. I remembered that I was previously doing array inserts, and the auth for that job has not changed so I am able to successfully execute those jobs. No idea why the auth is different for a csv-blob job, but hopefully this will save others some time.

The BigQuery API uses OAuth 2.0 access tokens to authorize requests and grant temporary access to the API. In this case, I recommend using a service account to authenticate the API. You can follow these steps to create an account.
If you are using BigQuery client Libraries, you can set up the authentication. If not, you need to follow these steps.
Also, you must have permission to load data into bigquery. You need the following IA permission.
bigquery.tables.create
bigquery.tables.updateData
bigquery.tables.update
bigquery.jobs.create
If you are in cloud storage, you need the following permissions.
storage.objects.get
storage.objects.list (required if you are using a URI wildcard)

Related

Is there any way to get a set of resources detailed information from Keycloak server by using Keycloak rest endpoints

we have rest point to get the resource information from keycloak server.
http://{host}:{port}/auth/realms/{realm}/authz/protection/resource_set/{resource_id}
from this endpoint I can get only one resource information.
-{
"name": "/TestResource",
"type": "customer",
"ownerManagedAccess": false,
"displayName": "testresource",
"_id": "****resource id****",
"icon_uri": "testIconUri",
"uris": [
"/uri2",
"/uri1"
],
"resource_scopes": [
{
"name": "GET"
}
]
}
But, In my case i have more than 25 resources to be loaded in my menu of application.
If i go with above endpoint, i need to call the same service for more than 25 times . so i need some other way to get set of resources information using single endpoint.
I expect a solution for this,
thankyou in advance.
I found the solution.
we can get all the authorization related details using
http://{host}:{port}/auth/admin/realms/{realmname}/clients/{clientId}/authz/resource-server/settings
provided by keycloak.
we have to use admin credentials
{clientId} is not the Client Name given by you. it is generated by keycloak for each client

UCWA - different results for different applications

I'm playing with the interactive web sdk at https://ucwa.skype.com/websdk. I'm signed in successfully with a Azure AD login. With the F12 Tool I can see, that I have got a valid oauth token.
Now I take this token and trying to get a person object via a GET request like this: _https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me
This is the result:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/111364079681/me"
}
},
"rel": "me"
}
What I expect are more information about me like this:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"emailAddresses": [
"xxx"
],
"company": "my company name",
"workPhoneNumber": "tel:+123456789",
"endpointUri": "sip:xxx;opaque=user:epid:4JNzkgeuabct-CSuIgYV8gAA;gruu",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/113782897528/me"
},
"note": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/note"
},
"presence": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/presence"
},
"location": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/location"
},
"reportMyActivity": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/reportMyActivity"
},
"photo": {
"href": "/ucwa/oauth/v1/applications/113782897528/photos/xxxx"
}
},
"rel": "me"
}
I found out that the result depends on the application id. If I open the Office365 web portal (_https://outlook.office.com/owa) and search for an valid application id with the F12 tool, then I get the expected result. Even with the OAuth token that I got from the interactive web sdk example. So this can not be an security or permission issue??
I grant access to all permissions in the azure management portal.
Also very strange is that I get different status codes with the same oauth token for this two very similar request
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me/presence
-> 200 OK
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/112861033140/me/presence
-> 403 Forbidden
{
"code": "Forbidden",
"message": "The requested operation isn't allowed."
}
So why is there a difference between both applications and what is required to get the same results? Is anything missing in the azure configuration?
Thanks for help
UCWA and to a larger extent Skype for Business Online are in a preview phase which may help explain why you are seeing a different result set between the two applications. When logging into the O365 portal as your user you are most likely getting supplemental information from Exchange or the portal is able to receive more information from UCWA using internal APIs (and permissions) not publicly exposed.
If I remember correctly and your request example above is a follows:
/ucwa/oauth/v1/applications/113782897528/me/presence - O365 Portal
/ucwa/oauth/v1/applications/112861033140/me/presence - Non-Portal
What you are seeing is that Presence is not currently enabled (a better term might be the API is not publicly exposed) for UCWA when using Online clients.
Access to presence is available in preview mode through the "Read/write Skype user information (preview)" Delegated Permission. You might not have access to it, but here's a picture of what it looks like in Azure AD if you do:
I created a UCWA-based native app that connects to SfB Online and allows you to set your presence:
https://github.com/tamhinsf/ucwa-sfbo-console
Just follow the README to register your own app and plug in your settings into my code. I output the result of each API call onto the console so you can see what's going on.
I've also made fork of the Interactive Web SDK Samples you've been using that consolidates the Azure AD settings into a single file. You might want a local copy to more closely inspect and modify the calls:
https://github.com/tamhinsf/skype-web-sdk-samples
Sharing the token like that between applications seems like a security violation. The token is provided for a specific resource and the server likely validates that the token you are providing matches the scopes that the application was created with.
What scenario are you trying to perform by sharing the token?

authenticate to Google Computer Engine instance using CLI

I've set up a Google Compute Engine Instance and I want to be able to turn it on and off using a script on my home computer. I see that there's an API that lets me do that by sending a POST request like this:
curl --data '' https://www.googleapis.com/compute/v1/projects/my-project/zones/asia-east1-a/instances/my-instance/stop
but the response I get from that is this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
So I'm trying to see how I can allow my script authorisation to use the API on the compute engine without having user interaction. How do I do this?
It looks like Google requires OAuth 2.0 authentication, but it seems really complex.
The closest thing I can find in Google's docs is this page but I can't work out how to make it a bunch of curl statements.
This SO thread gets closer, but glancing over the scripts there - it looks like they need user interaction.
I think you need Application Default Credentials. Have you seen this page?
https://developers.google.com/identity/protocols/application-default-credentials

GooglePlus userProfile API returns error when trying to access using access-token retrieved using Google Service Account

I was able to retrieve access-token using Google Service account but when I tried to use the same access-token to retrieve GooglePlus User Profile API I'm getting the error mentioned below:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
I used scope value as https://www.googleapis.com/auth/plus.me while retrieving access-token using Google service account and I was able to fetch access-token, but then if I try to use the same access-token to request User profile API- I.e
https://www.googleapis.com/plus/v1/people/me?prettyprint=true I get the error above.
Can anyone help me on this?
This is most likely because the account that has done the authentication does not have a Google+ account/profile. For testing, you may wish to replace the "me" with the profile ID in question to verify this. In production, of course, you should catch this error and indicate that they don't have a Google+ profile.
If you need to check for a Google login, even if they don't have a Google+ profile, you can use the https://www.googleapis.com/auth/userinfo.profile scope. See https://developers.google.com/accounts/docs/OAuth2Login for more details.

Authentication error in google shopping search API

I want to use Google Shopping Search API for products search. I have followed all the steps stated in document. First I created a google account, then went to GOOGLE APIs console to create a project and got an API key. I want to use this service as publishers in the Google Affiliate Network who can use the API to access product offers from their advertisers of choice.
Then I signed up at google affliate network to get pid. Then I send request to some advertisers to join their program from my affiliate admin panel. Now I have one advertiser approved. Now on this document, it states that to request feed to access products from google affiliate network advertisers of publisher I have to use the following url
https://www.googleapis.com/shopping/search/v1/source/products
Where source in the url is replaced by gan:mypublisherid after putting this my url looks like
https://www.googleapis.com/shopping/search/v1/gan:myid/products?key=mykey&country=US
But When I access this url i found following json error
{
"error": {
"errors": [
{
"domain": "global",
"reason": "conditionNotMet",
"message": "authentication is required for GAN",
"locationType": "header",
"location": "If-Match"
}
],
"code": 412,
"message": "authentication is required for GAN"
}
}
Now my question is how to get authenticated? Is my url is correct or there is some thing other way to do this?
Best Regards.
Read this article. The last part i.e. authentication.
You have to get an access token before using the API. You can either use OAuth or Client Login token. To get a token using Client login you can use cURL. Remember to put servicetype as shoppingapi as the document says.