Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
I'm creating an script, based on Google Analytics step-by-step guide from this page:
https://developers.google.com/analytics/resources/tutorials/hello-analytics-api
Authorization is done without problems, until it tries to access data. The return code is 403, and error message is:
User does not have any Google Analytics account
This message has no sense: my account has google analytics data, tracking multiple websites, and I can access it from web browser without problem. I've allowed Analytics API through Google APIs console, and API access is giving me right data.
I had this problem too. I fixed it by adding the email address for my service account to the Google Analytics profile I wanted it to access.
I got the email address (something like xxxxxx#developer.gserviceaccount.com) for the service account by looking under the "API Access" tab in the Google APIs console.
Then, I followed Google's instructions for adding an email address to an Analytics profile. Now everything's working as expected.
Good luck!
Just add you given email (format of 71667655853644-o653rrdkq5hthsgo0otbpojoo#developer.gserviceaccount.com)
to User Managers:
Wish it helps you
I was facing the same issue. It got resolved by adding the email id of the service account user(your account#yourwebsite-dev.iam.gserviceaccount.com), to the users in your Analytics account under-
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the email id in enter email addresses.
Now, this will solve the issue.
It is mentioned in a comment above but if you add the email address under the User Management for your account, it won't work. You have to click on the User Management under the view part of the screen.
This message we get when no permission granted to client_email, in the google alalytics, client_email is you got from the JSON file. to grant permission to client_email you're using in your App, Head over to Google Analytics site and click "Admin (setting icon)"
you'll get menu list right, there click on "View User Management"
There you'll see "+" icon, and "add user",
once you click on that, you need to add client_email in the "email address field" and save it, you should be good to go!
Go to https://console.cloud.google.com/apis/credentials
Copy email address in "Service Account".
Open Google Analytics, add email above as a new user.
You will also get this error if you have never logged in with the google account youre trying to authenticate with.
I was getting the 403 error until I changed the permissions of the email account from inside Google Analytics from 'Read & Analyze' to something else, saved it, and then changed the permissions back to 'Read & Analyze' and it worked.
Just in case if that doesn't work, Try to open your JSON file which you have downloaded and Search for client_email and copy that email address and add it to the View File
Click On
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the client_email address which you copied.
If that still doesn't work
Analytics-Homepage-> Admin ->Views->User Management(Click on add(+) symbol, add this ccopied client_email address and give permissions and save it.
I was hitting the 403 error. These steps got me around it. To be clear, I was trying to get Google's sample "HelloAnalytics.php" working with OAuth (sans user interaction, suitable for cron job etc).
After enabling the Analytics API, I created a new "Service Account" under APIs & Auth/Credentials; and saved the .p12 key pair. I then went into the Analytics user management console, and added that Service User's email address.
.p12 authorization using the PHP API works if I check off only "Read & Analyze" only in the permissions list. If I add "Manage Users" and/or "Edit", I get the 403. Hope this is helpful, I was grinding on this for a couple of hours...
I had this problem too, and I found that the problem was that I had asked for too many permissions. The Developer Console says to ask for both http://www.googleapis.com/auth/analytics and http://www.googleapis.com/auth/analytics.readonly permissions. This did not work when I was also using the sub claim. A sub claim instructs Google to issue an access token that operates on behalf of another user — in my case the Google account that owns the service account. I removed the analytics permission and stuck with analytics.readonly with the sub claim:
{
"iss":"123123123123123-xxxxxxxxxxxxxxxxxxxxxxxx#developer.gserviceaccount.com",
"sub":"me.example#gmail.com"
"scope":"http://www.googleapis.com/auth/analytics",
...
}
The Bearer token issued allows me to make (at least some) Google Analytics queries to profiles that are owned by completely different Google accounts, but that have been shared (read-only) with my gmail user (me.example#gmail.com).
I managed to fix this by making sure that the
client = Google::APIClient.new(:application_name => 'X',:application_version => '1')
application name variable 'X above was the ACCOUNT name on the GA dashboard, not the PROPERTY name, which in my case was the actual url of the site I want to access.
Confusing, but thankfully fixed (with no thanks to Google!)
The problem happens since we dont provide a "sub" argument. Unless we provide this, the call happens on behalf of that long service account email.
So just provide a sub argument, with an email which you already have given access in the report and things should work well!
I got the same error, since I didn't sign in the google analytics. So I had resolved it by signing in the analytics account.
Instead of using a service account, you can sidestep the need for adding a adding new user permissions (as per the top answers in this thread) by using OAuth client ID credentials.
Go to the API credentials dashboard and click "Create credentials" -> "OAuth client ID". Afterwards you should get a client ID and a client secret that you'll need to authenticate the API.
Now you can use OAuth2WebServerFlow to authenticate on a per-use basis. Here is a python3 example:
from apiclient.discovery import build
from oauth2client.client import OAuth2WebServerFlow
# TODO: Fill these in...
CLIENT_ID = ''
CLIENT_SECRET = ''
VIEW_ID = ''
flow = OAuth2WebServerFlow(
CLIENT_ID, CLIENT_SECRET,
'https://www.googleapis.com/auth/analytics.readonly',
redirect_uri='urn:ietf:wg:oauth:2.0:oob'
)
authorize_url = flow.step1_get_authorize_url()
print('Receive code from:\n%s\n' % authorize_url)
code = input('Enter code here:').strip()
credentials = flow.step2_exchange(code)
api = build('analyticsreporting', 'v4', credentials=credentials)
body={
'reportRequests': [{
'viewId': VIEW_ID,
'dateRanges': [{'startDate': '7daysAgo', 'endDate': 'today'}],
'metrics': [{'expression': 'ga:sessions'}],
'dimensions': [{'name': 'ga:country'}]
}]
}
data = api.reports().batchGet(body=body).execute()
I'm creating an script, based on Google Analytics step-by-step guide from this page:
https://developers.google.com/analytics/resources/tutorials/hello-analytics-api
Authorization is done without problems, until it tries to access data. The return code is 403, and error message is:
User does not have any Google Analytics account
This message has no sense: my account has google analytics data, tracking multiple websites, and I can access it from web browser without problem. I've allowed Analytics API through Google APIs console, and API access is giving me right data.
I had this problem too. I fixed it by adding the email address for my service account to the Google Analytics profile I wanted it to access.
I got the email address (something like xxxxxx#developer.gserviceaccount.com) for the service account by looking under the "API Access" tab in the Google APIs console.
Then, I followed Google's instructions for adding an email address to an Analytics profile. Now everything's working as expected.
Good luck!
Just add you given email (format of 71667655853644-o653rrdkq5hthsgo0otbpojoo#developer.gserviceaccount.com)
to User Managers:
Wish it helps you
I was facing the same issue. It got resolved by adding the email id of the service account user(your account#yourwebsite-dev.iam.gserviceaccount.com), to the users in your Analytics account under-
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the email id in enter email addresses.
Now, this will solve the issue.
It is mentioned in a comment above but if you add the email address under the User Management for your account, it won't work. You have to click on the User Management under the view part of the screen.
This message we get when no permission granted to client_email, in the google alalytics, client_email is you got from the JSON file. to grant permission to client_email you're using in your App, Head over to Google Analytics site and click "Admin (setting icon)"
you'll get menu list right, there click on "View User Management"
There you'll see "+" icon, and "add user",
once you click on that, you need to add client_email in the "email address field" and save it, you should be good to go!
Go to https://console.cloud.google.com/apis/credentials
Copy email address in "Service Account".
Open Google Analytics, add email above as a new user.
You will also get this error if you have never logged in with the google account youre trying to authenticate with.
I was getting the 403 error until I changed the permissions of the email account from inside Google Analytics from 'Read & Analyze' to something else, saved it, and then changed the permissions back to 'Read & Analyze' and it worked.
Just in case if that doesn't work, Try to open your JSON file which you have downloaded and Search for client_email and copy that email address and add it to the View File
Click On
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the client_email address which you copied.
If that still doesn't work
Analytics-Homepage-> Admin ->Views->User Management(Click on add(+) symbol, add this ccopied client_email address and give permissions and save it.
I was hitting the 403 error. These steps got me around it. To be clear, I was trying to get Google's sample "HelloAnalytics.php" working with OAuth (sans user interaction, suitable for cron job etc).
After enabling the Analytics API, I created a new "Service Account" under APIs & Auth/Credentials; and saved the .p12 key pair. I then went into the Analytics user management console, and added that Service User's email address.
.p12 authorization using the PHP API works if I check off only "Read & Analyze" only in the permissions list. If I add "Manage Users" and/or "Edit", I get the 403. Hope this is helpful, I was grinding on this for a couple of hours...
I had this problem too, and I found that the problem was that I had asked for too many permissions. The Developer Console says to ask for both http://www.googleapis.com/auth/analytics and http://www.googleapis.com/auth/analytics.readonly permissions. This did not work when I was also using the sub claim. A sub claim instructs Google to issue an access token that operates on behalf of another user — in my case the Google account that owns the service account. I removed the analytics permission and stuck with analytics.readonly with the sub claim:
{
"iss":"123123123123123-xxxxxxxxxxxxxxxxxxxxxxxx#developer.gserviceaccount.com",
"sub":"me.example#gmail.com"
"scope":"http://www.googleapis.com/auth/analytics",
...
}
The Bearer token issued allows me to make (at least some) Google Analytics queries to profiles that are owned by completely different Google accounts, but that have been shared (read-only) with my gmail user (me.example#gmail.com).
I managed to fix this by making sure that the
client = Google::APIClient.new(:application_name => 'X',:application_version => '1')
application name variable 'X above was the ACCOUNT name on the GA dashboard, not the PROPERTY name, which in my case was the actual url of the site I want to access.
Confusing, but thankfully fixed (with no thanks to Google!)
The problem happens since we dont provide a "sub" argument. Unless we provide this, the call happens on behalf of that long service account email.
So just provide a sub argument, with an email which you already have given access in the report and things should work well!
I got the same error, since I didn't sign in the google analytics. So I had resolved it by signing in the analytics account.
Instead of using a service account, you can sidestep the need for adding a adding new user permissions (as per the top answers in this thread) by using OAuth client ID credentials.
Go to the API credentials dashboard and click "Create credentials" -> "OAuth client ID". Afterwards you should get a client ID and a client secret that you'll need to authenticate the API.
Now you can use OAuth2WebServerFlow to authenticate on a per-use basis. Here is a python3 example:
from apiclient.discovery import build
from oauth2client.client import OAuth2WebServerFlow
# TODO: Fill these in...
CLIENT_ID = ''
CLIENT_SECRET = ''
VIEW_ID = ''
flow = OAuth2WebServerFlow(
CLIENT_ID, CLIENT_SECRET,
'https://www.googleapis.com/auth/analytics.readonly',
redirect_uri='urn:ietf:wg:oauth:2.0:oob'
)
authorize_url = flow.step1_get_authorize_url()
print('Receive code from:\n%s\n' % authorize_url)
code = input('Enter code here:').strip()
credentials = flow.step2_exchange(code)
api = build('analyticsreporting', 'v4', credentials=credentials)
body={
'reportRequests': [{
'viewId': VIEW_ID,
'dateRanges': [{'startDate': '7daysAgo', 'endDate': 'today'}],
'metrics': [{'expression': 'ga:sessions'}],
'dimensions': [{'name': 'ga:country'}]
}]
}
data = api.reports().batchGet(body=body).execute()
I'm building a Facebook app for a client who have a Facebook company page and I'm stumped as to how to develop the app so that they can actually have access to it without binding it with my own personal FB Login (to which I obviously have no desire to grant them access).
They have added me as an admin to their FB page but when I'm logged into that and go to developer.facebook.com I'm told that to proceed I have to switch back to my own personal account.
I'm sure I'm missing something fundamental here, but am totally confused as to what the process is to build an app for a third party, so that they don't have to give me their personal FB login and I don't have to give them my own.
TIA.
You should create and manage Facebook apps using your real, personal accounts.
You can add multiple, real users to be administrators of an app, and you can add them under several different "roles". You should never give another person the username and password to login to your personal Facebook account.
You should not setup a new Facebook user in order to manage apps. When Facebook's automated systems detect a non-real user account, and that account is suspended, all apps that account is connected with will also be affected.
If you want an easy way to control many users having access to many apps, you can create a secret Facebook group - add all the users who you want to admin the app to the group, then in the Facebook app dashboard, you can add that group to one of the app's role groups. This method has the advantage that, if someone joins or leaves the company, you just have to add/remove them from this group, and they'll then be able to edit (or not) all the apps to which that group has been added.
In short - always use your real accounts - there are ways to make it work for people like you building apps for clients.
You will want to use the Roles settings of the FB app to add Admins (and optionally Developers, Testers, and Insight Users). Each app can have multiple admins. When you create the app you'll be an admin, of course. Then, go to the Roles tab in your app's settings and add others as admins (note, you must be FB friends with them). The people you have added must then visit the Developers site, accept the admin request (under Apps), and will then have admin privileges.
Another way is create a FB group whose members are admins of the app. This is done the same way, but instead of typing a person's name, click "Create a group for administrators" in the "Add Administrators" dialog. Then, add people to the group.
In fact, any of your existing FB groups can be added as an admin, developer, tester, or insight user of the app.
Yet another option is to have the client create the FB app initially (ie. just the minimum config), and then add you as an admin.
More on Roles:
https://developers.facebook.com/docs/ApplicationSecurity/
In Facebook API:
"When a user allows you to access their basic information in an auth dialog, you have access to their user id, name, ...
To get access to any additional information about the user or their friends you need to ask for specific permissions from the user."
So basically Facebook allows for use of the API with restricted permissions by default, and then it specifically asks for all sorts of permissions you might use.
In Twitter when the user is redirected to the twitter popup on "account/verify_credentials" the popup shows:
"This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you."
It is basically giving me permissions that I don't need right off the bat and it might drive the user away from giving me such permissions (I wouldn't blame them)
Is there a way to get restricted permission (such as user info, and that's about it) thus show less items the user is allowing me to do in the popup ?
Sign into https://dev.twitter.com/apps, select the application, and switch access to read only on the settings tab. This will remove the Update your profile and Post Tweets for you permissions. The first two permissions are always present with Twitter OAuth.