I want to use Google Drive API to manage files programaticaly.
To do that, I use ID clients OAuth 2.0 Web Application. In OAuth consent screen (Edit App), I check .../auth/drive and .../auth/drive.readonly scopes.
I'm log in, I have token.json file. I can list and download files
Now, when I want to delete file, I do this in python : service.files().delete(fileId=item['id']).execute(). But I have this issue :
An error occurred: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/<fileID>? returned "The user has not granted the app <appID> write access to the file <fileID>.". Details: "[{'message': 'The user has not granted the app <appID> write access to the file <fileID>.', 'domain': 'global', 'reason': 'appNotAuthorizedToFile', 'location': 'Authorization', 'locationType': 'header'}]">
What I do wrong ?
Thanks in advance !
The scopes declared in Google cloud console are mainly for use with verification of your application. Its your code that defines what scopes your application is requesting of the user.
I am going to assume that you are following the Quick start for python or quick start for node.js both use token.json for credential storage. The answer is the same either way.
This sample shows you how to use the files.list method which allows for a readonly scope.
While the file.delete does not allow for a readonly scope it requires write access.
Fix
In the code you can see that the scope is readonly
SCOPES = ['https://www.googleapis.com/auth/drive.metadata.readonly']
This means that when the user authorized your app they authorized it with a readonly scope giving you access to read the files only. This the users credentials are now stored in token.json
To fix your issue change the scope to
SCOPES = ['https://www.googleapis.com/auth/drive.metadata.readonly']
Then delete the token.json file and your app should now be resting full drive access giving you the ability to make changes like delete the files.
Related
I have a JavaScript file that needs to use the GitHub API to get the contents of a file stored in a repository.
I am using GitHub.js to access the API, and it shows the following method for authentication:
// basic auth
var gh = new GitHub({
username: 'FOO',
password: 'NotFoo'
/* also acceptable:
token: 'MY_OAUTH_TOKEN'
*/
});
This code will be viewable inside the repository, as well as in the developer settings in the browser. GitHub does not allow you to commit a file that contains an OAuth token, and publicly displaying the username and password for my account is obviously a non-option as well.
Is there any other way to do authentication? I tried using the client-id and client-secret but it doesn't seem to take those as valid credentials.
Try an Installation Access Token. I can't remember the specifics but I used that link to set myself up.
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
I have an application that used SkyDrive API. After SkyDrive was replaced I upgraded my code to use OneDrive API.
Looking my application in the dev page (https://account.live.com/consent/Manage) I could notice that the scopes I used with SkyDrive ("wl.offline_access", "wl.signin", "wl.basic", "wl.skydrive", "wl.skydrive_update") and the scopes I used with OneDrive ("onedrive.readwrite", "onedrive.appfolder", "wl.offline_access") were there.
Everything was working until last month, even with all these scopes. But now I'm not being able to upload files. I'm receiving a Bad Request error (Code 400).
I discovered that adding the ""onedrive.readonly" scope fix the upload but I don't know why. I also know that an application with only the OneDrive scopes ("onedrive.readwrite", "onedrive.appfolder", "wl.offline_access") also works.
Does anybody knows what's going on?
Check if the oAuth token has Files.ReadWrite capability using
http://jwt.calebb.net/.
If not present, when you are logging in the user, give the scope while obtaining code as
files.readwrite.all offline_access
I would like to use server-side flow to get read access to user's spaces.
Here is my login URL
https://podio.com/oauth/authorize?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=space:read
But Podio asking me full permission.
I tried different options
https://developers.podio.com/authentication/scopes
The scope argument is currently in Beta only and therefore not available for everybody. We still have some work to do on the granular authentication project before we are able to release it to public.
My question seems similar to OneDrive for Business REST API - PUT,POST - 401 Unauthorized
However, instead of uploading, I am trying to download a file. What's strange is that I do get the file contents and data, but the response code is a 401.
Any idea why? Of course, I would like to be receiving a 200 and not have to ignore the response code.
As far as my Azure AD app permissions go, I am allowing pretty much all read permissions under delegated permissions for Office 365. I have listed all the permissions I selected here, for your reference.
Delegated Permissions I am allowing for Office 365:
Read managed metadata
Run search queries as a user
Read items in all site collections
Read user files
Delegated Permissions I am allowing for Windows Azure Active Directory:
Enable sign-on and read users' profiles
I have not enabled anything under Application Permissions.
There is a bug in our implementation - if you provide an Authorization: header with a bearer token on the download URL (which is pre-authenticate) the service rejects the authentication (hence the 401) but since the URL is pre-authenticated, the contents of the file are still sent.
We're working on a fix. You can track the status by watching this issue on our GitHub repo: https://github.com/OneDrive/onedrive-api-docs/issues/189