Google Surveys api - INVALID_CREDENTIALS - google-surveys

I try get surveys results through the api, but I am still getting an errors.
I am able to get google calendar events, but when I try get list of surveys, or results (https://www.googleapis.com/surveys/v2/surveys/{survey_ID}/results), I am getting:
"domain": "global",
"reason": "INVALID_CREDENTIALS",
"message": "User must be authenticated to make this call. Request Id: 5a73195500ff0c64532dccb0ef0001737e3430322d747269616c320001707573682d30312d33312d72313100010163",
"locationType": "header",
"location": "Authorization"
}
It looks like I have bad access token, but with same token and method, I get for example calendar events.
It looked like I have no scope, but when I issue this request https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={valid_token} I get correct answer:
"issued_to": "822311642112-***********.apps.googleusercontent.com",
"audience": "822311642112-***********.apps.googleusercontent.com",
"scope": "https://www.google.com/calendar/feeds/ https://www.googleapis.com/auth/surveys",
"expires_in": 2983,
"access_type": "offline"
I have enabled Survey api in my account. I am running this code from visual foxpro desktop application over windows object Microsoft.XMLHTTP
Any idea what am I doing wrong?
EDIT:
This is not duplicate of this question because my authentication credentials work fain with calendar, but not working with surveys.
It looks like Maia Werbos has correct answer for me, now I am getting response that request is correct (status: 200), but response contains just requestId.
Maia thank you very much.

Your request shows that you have the following two OAuth scopes enabled:
https://www.google.com/calendar/feeds/
https://www.googleapis.com/auth/surveys
But you also need to have the email scope enabled to use the Surveys API (see the Surveys API Getting Started Guide for more info):
https://www.googleapis.com/auth/userinfo.email

Related

Xero API Forbidden getting Item

This only happened in the past few days that I am having this issue but only for getting an Item. I can get contacts and get branding themes. Therefore, tenand id is working and accesstoken.
This is the endpoint when i'm getting item:
https://api.xero.com/api.xro/2.0/Items/SHO B 100 S
Response:
{
"Type": null,
"Title": "Forbidden",
"Status": 403,
"Detail": "AuthenticationUnsuccessful",
"Instance": "94aa22f4-6ba1-43f6-8f76-699befb1b1f3",
"Extensions": {}
}
And this is the scope:
offline_access accounting.transactions openid profile email accounting.contacts accounting.settings
I am not sure what had changed but everything is working except getting an item. Please tell me how can I fix this and what causes the issue. Thank you so much in advance.
Couple of things you can confirm to debug this.
You have a valid, refreshed access_token (Can you make api calls to any other endpoints? is the JWT's "exp" > than current time?)
Did you add the scope after you generated the initial token? (To test, completely clobber the token set, and re-generate a new one going through the OAuth2 flow)
The query looks correct. The screenshots are when I query an item with a code that exists and doesn't. You should get a 404 if not found not a 401 so I def think its something in #1 or #1

google oauth2 discovery return wrong token_endpoint

Here is the google oauth2 discovery url.
https://accounts.google.com/.well-known/openid-configuration
And in the response, it looks like this
{
"issuer": "https://accounts.google.com",
"authorization_endpoint":"https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
...
The token_endpoint in the google document here https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code said it should be https://www.googleapis.com/oauth2/v4/token.
Maybe recently the token_endpoint is updated, but when I use https://oauth2.googleapis.com/token this one to exchange token with code., I will get an error response.
{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }
And if I use https://www.googleapis.com/oauth2/v4/token to do the same thing, everything is fine.
Is there anything changed in google identify platform? Thanks!
The OAuth endpoint has been updated a number of times over the last five years. I normally follow the one i the discovery doc but your example shows that that is not always the best course of action all of the time.
I have never heard of google shutting down old endpoints i suggest you use the one that works. As a side note i will contact Google to see if i can get some feed back as to why one call worked and the other didnt.

Checkout and Transaction API Permissions error

I am currently trying to create a transaction or checkout from Postman, I set the Header with a full access token but the API always response:
{
"errors": [
{
"category": "AUTHENTICATION_ERROR",
"code": "FORBIDDEN",
"detail": "You have insufficient permissions to perform that action."
}
]
}
Attach the OAuth screen.Permissions image
and the postman request. https://www.getpostman.com/collections/4fe6fec54384fc10d152
Unfortunately, this is due to you not being in one of the countries currently available to Square's APIs: https://docs.connect.squareup.com/articles/faq-international-availability?q=country. You will not be able to make payments using the API when outside of the countries listed above.
Furthermore, you should never share your personal access token with anyone (which you show in your screenshot). Please change this immediately, by navigating to your Square dashboard and clicking "Replace" on your "Credentials" tab.

Access to Outlook RestAPI from an Outlook web Add-in

I developed an Outlook Web Add-in that is working fine. It's a Taskpane that is available in compose mode of appointments and that collects event's data, adds a few ones and send that all to an API somewhere.
What I would like to do now is to subscribe the authenticated user to the Outlook Rest API in order to get notified when the event is deleted.
The subscription call should look like this one:
POST https://outlook.office.com/api/v2.0/me/subscriptions HTTP/1.1
Content-Type: application/json
{
#odata.type:"#Microsoft.OutlookServices.PushSubscription",
Resource: "https://outlook.office.com/api/v2.0/me/events",
NotificationURL: "https://myNotifAPI.azurewebsites.net/api/send/myNotifyClient",
ChangeType: "Deleted",
ClientState: "blabla"
}
I know I need to provide a valid Authentication Bearer Token when posting to the subscriptions URL so I tried to call this method in my Add-In:
_mailbox = Office.context.mailbox;
_mailbox.getUserIdentityTokenAsync(getUserIdentityTokenCallback);
In the function getUserIdentityTokenAsync, I call a WebApi Controller that validates my token and send it back to the Add-In:
AppIdentityToken token = (AppIdentityToken)AuthToken.Parse(rawToken);
token.Validate(new Uri(request.AudienceUrl));
return token;
I tried to use that token to Post to https://outlook.office.com/api/v2.0/me/subscriptions (using Postman) but I got a 401 saying:
reason="The audience claim value is invalid '<MyAddInURL>'.";error_category="invalid_resource"
Is it the right Token to use in that particular case or do I need to get another one? Any advices would be appreciated!
-- EDIT --
As suggested by #benoit-patra I tried to get a token using getCallbackTokenAsync instead of getUserIdentityTokenAsync but when I called https://outlook.office.com/api/v2.0/me/subscriptions I did receive a 403 :
"error": {
"code": "ErrorAccessDenied",
"message": "The api you are trying to access does not support item scoped OAuth."
}
As requested by #benoit-patra here's the Token content :
{
"nameid": "9d643d8c-b301-4fe1-83f7-bf41b1749379#57bcd3d9-685a-4c41-8c7d-xxxxxx",
"ver": "Exchange.Callback.V1",
"appctxsender": "https://localhost:44444/NewAppointment.html#57bcd3d9-685a-4c41-8c7d-xxxxxx",
"appctx": {
"oid": "3a8a4f92-a010-40bd-a093-xxxxxx",
"puid": "10033FFF9xxxxx",
"smtp": "max#xxxx.onmicrosoft.com",
"upn": "max#xxxx.onmicrosoft.com",
"scope": "ParentItemId:AAMkADE4NTk2MDNjLTI4NGEtNDZkNS1hMzg4LTE3MzI2NGJhZWRkZQBGAAAAAAD+YYA7CnMtRZsrwJ7l6m44BwCcSer9F+cXSrWNauuHQlZ7AAAAAAENAACcSer9F+cXSrWNaxxxxxxxx"
},
"iss": "00000002-0000-0ff1-ce00-000000000000#57bcd3d9-685a-4c41-8c7d-xxxxx",
"aud": "00000002-0000-0ff1-ce00-000000000000/outlook.office365.com#57bcd3d9-685a-4c41-8c7d-xxxx",
"exp": 1487087672,
"nbf": 1487087372
}
The previous answer is right, the error is because you are getting an item scoped token. Because previously Callback tokens only allowed a caller to call GetItem and GetItemAttachment REST APIs. We are making changes to the callback token so that clients can call REST of the APIs as well. The requirement is first you should have readWriteMailBox permission. Second get a REST callback token by providing isRest=true, like below
Office.context.mailbox.getCallbackTokenAsync({ isRest: true }, function (result))
The resulting token will have Mail.ReadWrite, Calendar.ReadWrite, Contacts.ReadWrite, and Mail.Send Scopes.
That said the isRest parameter is only supported for outlook mobile client right now. The work to support it on OWA and Outlook is in progress and we expect to release it by March.
You should use getCallbackTokenAsync() this is the JWT that will give you the AccessToken that will help you authenticating for the Outlook REST API
https://dev.office.com/docs/add-ins/outlook/use-rest-api
For your case, following the documentation, I think you will need ReadWriteMailbox to have sufficient permissions to register web hooks with Outlook REST API.
NOTE: I tried this on my add-in, I changed the add-in permission to ReadWriteMailbox but the JWT token when inspected with JWT.io still has for scope:ParentId=<itemid> which I think won't work. Tell me if you have the same problem here.

Can I still authorize requests with the YouTube v3 API without using OAuth?

Google recommended I ask questions about their API here.
I've been testing out v3 of the YouTube API. Sometime this week, it appears have made a yet-to-documented behavior change. Before, I could just put "key=$foo" in my URLs to authenticate them, which is all I need for my simple server-side use. The documentation included example URLs using this Authorization method, like this one:
https://www.googleapis.com/youtube/v3alpha/videos?id=7lCDEYXw3mM&key=API_KEY&part=id,snippet,contentDetails,statistics,status
(from here.)
Now when I try this method, instead of getting back a successful response, I get this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
If the currently documented syntax isn't going to work anymore, what's the next-based simple authorization option to use?
Thanks!
The key=API_KEY URL parameter should still work for v3 in general, whenever you're making an unauthenticated request.
The engineering team is in the middle of pushing out some breaking changes to the backend services, though, and they broke this functionality in the meantime. I'd expect it to be fixed sometime soon—it's difficult to do anything using v3 at the moment.