Here is the google oauth2 discovery url.
https://accounts.google.com/.well-known/openid-configuration
And in the response, it looks like this
{
"issuer": "https://accounts.google.com",
"authorization_endpoint":"https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
...
The token_endpoint in the google document here https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code said it should be https://www.googleapis.com/oauth2/v4/token.
Maybe recently the token_endpoint is updated, but when I use https://oauth2.googleapis.com/token this one to exchange token with code., I will get an error response.
{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }
And if I use https://www.googleapis.com/oauth2/v4/token to do the same thing, everything is fine.
Is there anything changed in google identify platform? Thanks!
The OAuth endpoint has been updated a number of times over the last five years. I normally follow the one i the discovery doc but your example shows that that is not always the best course of action all of the time.
I have never heard of google shutting down old endpoints i suggest you use the one that works. As a side note i will contact Google to see if i can get some feed back as to why one call worked and the other didnt.
Related
I have been using Postman to send http requests to Google's Directory API. The GET request works fine (which shows that the admin token as well works fine) to get info for a user.
But, what I need to do is delete the user, and when I try this, I get the following back:
{
"error": {
"code": 412,
"message": "Precondition is not met.",
"errors": [
{
"message": "Precondition is not met.",
"domain": "global",
"reason": "conditionNotMet",
"location": "If-Match",
"locationType": "header"
}
]
}
}
I was presupposing that I was missing the etag, which is what I added from the user, but it did not work. I also tried adding "*" to the If-Match tag, and that did not work either. Maybe there is a way with a put or patch request?
The API reference is this: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/delete
The API does not work on Google's reference page either. I have also tried this in multiple domains where I am the super-admin so the error is not related to a specific super-user or domain.
I have also made sure, in multiple tests, that the user I am trying to delete is not an admin of any type.
I am adding images below to show that the GET api works fine. So I just need to know how to format the API request to be able to delete the user.
Ok, after talking directly to Google and even seeing that Jay Lee (author of GAM) ran into the same problem, we found out that you can't delete a user if:
It has a license of some sort
It's an admin
It has a Google Vault retention rule applied
To be able to delete a user from now on, you must remove all these things (licenses, admin privileges, Vault retention rules) or you must transfer the information of that user to another user (along with whatever else Google asks you to remove beforehand).
The "Precondition is not met" is vague and Google should change this, but it means that one of the three things above have not been removed yet.
Below I am adding multiple links to confirm what I mentioned above as well as the APIs you need to use on users before being able to delete them.
https://groups.google.com/g/google-apps-manager/c/83kR-4MoPk0?pli=1
https://github.com/GAM-team/GAM/releases?gam-releases
https://developers.google.com/admin-sdk/data-transfer/reference/rest/v1/transfers#DataTransfer
https://developers.google.com/vault/guides/holds#python
https://developers.google.com/vault/reference/rest/v1/matters.holds.accounts/list
This only happened in the past few days that I am having this issue but only for getting an Item. I can get contacts and get branding themes. Therefore, tenand id is working and accesstoken.
This is the endpoint when i'm getting item:
https://api.xero.com/api.xro/2.0/Items/SHO B 100 S
Response:
{
"Type": null,
"Title": "Forbidden",
"Status": 403,
"Detail": "AuthenticationUnsuccessful",
"Instance": "94aa22f4-6ba1-43f6-8f76-699befb1b1f3",
"Extensions": {}
}
And this is the scope:
offline_access accounting.transactions openid profile email accounting.contacts accounting.settings
I am not sure what had changed but everything is working except getting an item. Please tell me how can I fix this and what causes the issue. Thank you so much in advance.
Couple of things you can confirm to debug this.
You have a valid, refreshed access_token (Can you make api calls to any other endpoints? is the JWT's "exp" > than current time?)
Did you add the scope after you generated the initial token? (To test, completely clobber the token set, and re-generate a new one going through the OAuth2 flow)
The query looks correct. The screenshots are when I query an item with a code that exists and doesn't. You should get a 404 if not found not a 401 so I def think its something in #1 or #1
I try get surveys results through the api, but I am still getting an errors.
I am able to get google calendar events, but when I try get list of surveys, or results (https://www.googleapis.com/surveys/v2/surveys/{survey_ID}/results), I am getting:
"domain": "global",
"reason": "INVALID_CREDENTIALS",
"message": "User must be authenticated to make this call. Request Id: 5a73195500ff0c64532dccb0ef0001737e3430322d747269616c320001707573682d30312d33312d72313100010163",
"locationType": "header",
"location": "Authorization"
}
It looks like I have bad access token, but with same token and method, I get for example calendar events.
It looked like I have no scope, but when I issue this request https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={valid_token} I get correct answer:
"issued_to": "822311642112-***********.apps.googleusercontent.com",
"audience": "822311642112-***********.apps.googleusercontent.com",
"scope": "https://www.google.com/calendar/feeds/ https://www.googleapis.com/auth/surveys",
"expires_in": 2983,
"access_type": "offline"
I have enabled Survey api in my account. I am running this code from visual foxpro desktop application over windows object Microsoft.XMLHTTP
Any idea what am I doing wrong?
EDIT:
This is not duplicate of this question because my authentication credentials work fain with calendar, but not working with surveys.
It looks like Maia Werbos has correct answer for me, now I am getting response that request is correct (status: 200), but response contains just requestId.
Maia thank you very much.
Your request shows that you have the following two OAuth scopes enabled:
https://www.google.com/calendar/feeds/
https://www.googleapis.com/auth/surveys
But you also need to have the email scope enabled to use the Surveys API (see the Surveys API Getting Started Guide for more info):
https://www.googleapis.com/auth/userinfo.email
I'm using Python/Twisted to do asynchronous HTTP calls to the Google+ API. Our client app passes over the user's access_token and we do an API call to...
https://www.googleapis.com/plus/v1/people/me/?%s&key=%s&
... where %s and %s are being filled with a valid access_token and (supposedly) valid Simple API Key, respectively.
Everything was working beautifully yesterday. Today I continued to work on the unit tests for this when the API suddenly started returning:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
usageLimits, keyInvalid... Okay, I get it. I've seemingly hit the usage limits and they have invalidated API keys coming from this account. Except, I haven't...
The "Courtesy Limit" is supposed to be "10,000 requests/day", yet I've only made a couple hundred calls (according to Google's own usage graphs), and I am still seeing "0% used" on the quotas tab.
I would have brought this to Google directly, but they seem to have dropped their Developers Google Group in favor of a Google+ discussion that doesn't actually receive any responses.
Any help or guidance is extremely appreciated. Thanks!
The answer was quite simple! You can't send both the access_token and the key in the same API call. If you use the access_token you're authenticating the API call as the user, if you use your projects Simple API Key you're authenticating as yourself. If you use both, the call fails.
Just so we are clear, you are using your key from your Google API Console page? On there you should see a tab for "API Access" near the top left hand corner of the page. Make sure that the API Key you are using is your Key for browser apps (with referers) Key, otherwise it won't work.
At any rate, an API Call for me looks like this:
https://www.googleapis.com/plus/v1/people/114789529333378876576?key=ENTER_YOUR_KEY_HERE
You should be able to make at least one API Call per day without a valid Key.
This took me quite a long time to figure out, so hope to save some time to someone else :)
Take a look at thi spost, by google staff (in 2012..) https://groups.google.com/forum/#!topic/google-ajax-search-api/HuKhXfsoMQc
Sorry for the delayed response. This error (which we're working on improving the descriptiveness of) also occurs when you have a
restriction on your key (e.g. locked to a specific referer or IP
address). Please confirm that if you've set such a restriction in the
APIs Console, that the referer or IP address that you're making the
requests from. Pay special attention to any wildcards used on the
referer - for instance, if you use *.abc.com, it won't work if your
request comes from "yoururl".
also would have been great if google team fixed this issue! :)
In my case - I just had to wait few minutes because it was short time after updating my API KEY. Whenever you create a new key or update it on YT developer console. YT has up to 15 mins to make all the changes on their side
In my case I had a parameter named Key, so it thought that was an actual key, just renamed the parameter.
Google recommended I ask questions about their API here.
I've been testing out v3 of the YouTube API. Sometime this week, it appears have made a yet-to-documented behavior change. Before, I could just put "key=$foo" in my URLs to authenticate them, which is all I need for my simple server-side use. The documentation included example URLs using this Authorization method, like this one:
https://www.googleapis.com/youtube/v3alpha/videos?id=7lCDEYXw3mM&key=API_KEY&part=id,snippet,contentDetails,statistics,status
(from here.)
Now when I try this method, instead of getting back a successful response, I get this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
If the currently documented syntax isn't going to work anymore, what's the next-based simple authorization option to use?
Thanks!
The key=API_KEY URL parameter should still work for v3 in general, whenever you're making an unauthenticated request.
The engineering team is in the middle of pushing out some breaking changes to the backend services, though, and they broke this functionality in the meantime. I'd expect it to be fixed sometime soon—it's difficult to do anything using v3 at the moment.