I have been using Postman to send http requests to Google's Directory API. The GET request works fine (which shows that the admin token as well works fine) to get info for a user.
But, what I need to do is delete the user, and when I try this, I get the following back:
{
"error": {
"code": 412,
"message": "Precondition is not met.",
"errors": [
{
"message": "Precondition is not met.",
"domain": "global",
"reason": "conditionNotMet",
"location": "If-Match",
"locationType": "header"
}
]
}
}
I was presupposing that I was missing the etag, which is what I added from the user, but it did not work. I also tried adding "*" to the If-Match tag, and that did not work either. Maybe there is a way with a put or patch request?
The API reference is this: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/delete
The API does not work on Google's reference page either. I have also tried this in multiple domains where I am the super-admin so the error is not related to a specific super-user or domain.
I have also made sure, in multiple tests, that the user I am trying to delete is not an admin of any type.
I am adding images below to show that the GET api works fine. So I just need to know how to format the API request to be able to delete the user.
Ok, after talking directly to Google and even seeing that Jay Lee (author of GAM) ran into the same problem, we found out that you can't delete a user if:
It has a license of some sort
It's an admin
It has a Google Vault retention rule applied
To be able to delete a user from now on, you must remove all these things (licenses, admin privileges, Vault retention rules) or you must transfer the information of that user to another user (along with whatever else Google asks you to remove beforehand).
The "Precondition is not met" is vague and Google should change this, but it means that one of the three things above have not been removed yet.
Below I am adding multiple links to confirm what I mentioned above as well as the APIs you need to use on users before being able to delete them.
https://groups.google.com/g/google-apps-manager/c/83kR-4MoPk0?pli=1
https://github.com/GAM-team/GAM/releases?gam-releases
https://developers.google.com/admin-sdk/data-transfer/reference/rest/v1/transfers#DataTransfer
https://developers.google.com/vault/guides/holds#python
https://developers.google.com/vault/reference/rest/v1/matters.holds.accounts/list
Related
This only happened in the past few days that I am having this issue but only for getting an Item. I can get contacts and get branding themes. Therefore, tenand id is working and accesstoken.
This is the endpoint when i'm getting item:
https://api.xero.com/api.xro/2.0/Items/SHO B 100 S
Response:
{
"Type": null,
"Title": "Forbidden",
"Status": 403,
"Detail": "AuthenticationUnsuccessful",
"Instance": "94aa22f4-6ba1-43f6-8f76-699befb1b1f3",
"Extensions": {}
}
And this is the scope:
offline_access accounting.transactions openid profile email accounting.contacts accounting.settings
I am not sure what had changed but everything is working except getting an item. Please tell me how can I fix this and what causes the issue. Thank you so much in advance.
Couple of things you can confirm to debug this.
You have a valid, refreshed access_token (Can you make api calls to any other endpoints? is the JWT's "exp" > than current time?)
Did you add the scope after you generated the initial token? (To test, completely clobber the token set, and re-generate a new one going through the OAuth2 flow)
The query looks correct. The screenshots are when I query an item with a code that exists and doesn't. You should get a 404 if not found not a 401 so I def think its something in #1 or #1
I have this situation. Im trying to display user photos from an external site, all the configurations about remote sites are already set. I created a connected app in org A and from org B i'm retrieving the users from org A.
All of this works however i cannot show the photos from those users because for that to happen i have to be able to use the ConnectApi.UserProfiles.GetPhoto method which i'm doing right now but i keep getting the "insufficient privileges" error. I tried getting the AccessToken through postman like this
This redirects me to the login site so i can log into my org with my credentials. After that i get an AccessToken.
Next up, i want to be able to get the photos from users from the external site with the AccessToken, However i'm still getting the same error message "Insufficient Priviledges". Am i missing something? thanks in advance
According to: https://sforcenotes.blogspot.com/2015/10/solution-to-display-salesforce-user.html?showComment=1596211057195#c5848226245946017759
The solution is fairly easy but this does not work
I'm bit lost. You have some app that wants to log in to Salesforce and pull images from it? Or do you want to call out from Salesforce and pull images from external app? For first one you likely need "connected app". But you need "remote site settings" or "named credentials" only for calling out.
I'm assuming it's option 1.
There are lots of ways to log in to SF, SOAP API (just username + password), REST API (lots of OAuth2 options, with username+pass or username + JWT or just OAuth2 client id and user logs in to SF interactively, you don't see the password)... Sounds like you're past this stage?
A successful login response will look bit like that (depends on method used):
{"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",
"issued_at":"1278448832702",
"instance_url":"https://yourInstance.salesforce.com/",
"signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=",
"access_token":"00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW19ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs",
"token_type":"Bearer"}
You're supposed to take from it the access_token (that's your session id. It'll always start with org's id, compare with Setup -> Company information) and instance_url (that's where you're supposed to send any subsequent requests. No more calling the login gateways: login.salesforce.com, test.salesforce.com or mydomain.my.salesforce.com). If you're getting "Insufficient Privileges" I think you didn't change the endpoint.
You can test you logged in OK by sending a GET to the id endpoint you received. It'll give you OpenId info about your user.
Here's my GET to fetch OpenId data with the "Authorization: Bearer " request
So another GET with same header and I have my ugly mug:
If you want somebody else's picture - query similar to /services/data/v48.0/query?q=SELECT SmallPhotoUrl, FullPhotoUrl FROM User WHERE Id = '005...' should work. Check User fields.
{
"totalSize" : 1,
"done" : true,
"records" : [ {
"attributes" : {
"type" : "User",
"url" : "/services/data/v48.0/sobjects/User/(redacted)"
},
"SmallPhotoUrl" : "https://(redacted)/profilephoto/7293L0000008Tfq/T",
"FullPhotoUrl" : "https://(redacted)/profilephoto/7293L0000008Tfq/F"
} ]
}
The key thing is to use the new endpoint and pass the session id in the header. You might even find it easier to use Chatter API to pull photos (also REST-based)
I am using the Foursquare API to add/edit venues. I have created a FS user, and created my app. I have done the oAuth token exchange and have my user token.
From here I can make the required API calls to add a venue, get this venue, and then edit this venue. This works brilliantly, like a charm.
I was then made a manager of a different venue. In the FS web front-end, I am able to view this venue, and manage it - i.e. change it's name and so on.
When I then try and change this second venue via the API I get the following response:
{
"meta": {
"code": 403,
"errorType": "not_authorized",
"errorDetail": "User not authorized to edit venue"
},
"response": {}
}
The only difference between the API call that works, and the one that doesn't, is the FS Venue ID (which I know is correct). I'm obviously missing something, but I have no idea what - any thoughts?
The reason seems to be that when you add someone as an owner of the venue via the website, this action only allows this person to manage the Venue via the website. Think of it as the FS website is simply a FS App, like yours or mine.
It might be considered a bit odd if my app could authorise your app to act as manager for one of my users, I suppose.
I'm using Python/Twisted to do asynchronous HTTP calls to the Google+ API. Our client app passes over the user's access_token and we do an API call to...
https://www.googleapis.com/plus/v1/people/me/?%s&key=%s&
... where %s and %s are being filled with a valid access_token and (supposedly) valid Simple API Key, respectively.
Everything was working beautifully yesterday. Today I continued to work on the unit tests for this when the API suddenly started returning:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
usageLimits, keyInvalid... Okay, I get it. I've seemingly hit the usage limits and they have invalidated API keys coming from this account. Except, I haven't...
The "Courtesy Limit" is supposed to be "10,000 requests/day", yet I've only made a couple hundred calls (according to Google's own usage graphs), and I am still seeing "0% used" on the quotas tab.
I would have brought this to Google directly, but they seem to have dropped their Developers Google Group in favor of a Google+ discussion that doesn't actually receive any responses.
Any help or guidance is extremely appreciated. Thanks!
The answer was quite simple! You can't send both the access_token and the key in the same API call. If you use the access_token you're authenticating the API call as the user, if you use your projects Simple API Key you're authenticating as yourself. If you use both, the call fails.
Just so we are clear, you are using your key from your Google API Console page? On there you should see a tab for "API Access" near the top left hand corner of the page. Make sure that the API Key you are using is your Key for browser apps (with referers) Key, otherwise it won't work.
At any rate, an API Call for me looks like this:
https://www.googleapis.com/plus/v1/people/114789529333378876576?key=ENTER_YOUR_KEY_HERE
You should be able to make at least one API Call per day without a valid Key.
This took me quite a long time to figure out, so hope to save some time to someone else :)
Take a look at thi spost, by google staff (in 2012..) https://groups.google.com/forum/#!topic/google-ajax-search-api/HuKhXfsoMQc
Sorry for the delayed response. This error (which we're working on improving the descriptiveness of) also occurs when you have a
restriction on your key (e.g. locked to a specific referer or IP
address). Please confirm that if you've set such a restriction in the
APIs Console, that the referer or IP address that you're making the
requests from. Pay special attention to any wildcards used on the
referer - for instance, if you use *.abc.com, it won't work if your
request comes from "yoururl".
also would have been great if google team fixed this issue! :)
In my case - I just had to wait few minutes because it was short time after updating my API KEY. Whenever you create a new key or update it on YT developer console. YT has up to 15 mins to make all the changes on their side
In my case I had a parameter named Key, so it thought that was an actual key, just renamed the parameter.
There is currently no easy way to check if an auto-submit URL has been flattred by the authenticated user.
The current way is to
get the thing, which is 1 request
then get the list of all flattred things of the authenticated user, which is another request and a potentially really big response
then iterate over the list and match the thing, which is a performance bottle neck
All this makes it unusable for a mobile client like an iOS device. There needs to be a new call. My proposal is:
GET https://api.flattr.com/rest/v2/flattred?url=auto-submit-url
Response:
{
"message": "found",
"description": "The url has been flattred.",
"location": "https://api.flattr.com/rest/v2/things/:id"
}
We had mistakenly not documented the "flattred" parameter on a thing - it should tell you whether the thing is flattred by the authenticated users.
So do a /lookup on the auto-submit URL and check the "flattred" parameter on the thing it gives you.
We've added it to the documentation now: http://developers.flattr.net/api/resources/things/#get-a-thing