I developed asp.net application to retrieve calendar events from google using google calendar api with oAuth2 authentication.
I am able to read the events from Calendar with any issue.
But i am facing insufficient Permissions issue while moving events from primary calendar to another calendar.
Need to add scope for both read only and manage as mentioned below for asp.net static string[] Scopes = { CalendarService.Scope.Calendar,CalendarService.Scope.CalendarReadonly };
Related
I need to access some data from a private Google Sheets document that only my google account has access to – it is not shared with anyone else.
From here: https://developers.google.com/sheets/guides/authorizing
When your application requests private data, the request must be
authorized by an authenticated user who has access to that data.
Again, that user would be me – the application developer. The users of my application will not have these sheets shared with them.
From what I’m reading in the Google API docs, I’m not sure this is possible – but it seems to me like it should be. I am using nodeJs.
Can anyone help me out?
You'll want to use Google's OAuth flow (here) in order to get access to private sheets. If only you need to be able to access the sheet then you can keep the OAuth as only tied to yourself and make requests to the endpoint in your app.
Example Implementation
View in Fusebit
// Create a sheet object for the client + auth
const sheets = google.sheets({
version: 'v4',
auth
})
// Pull the data from our spreadsheet
const data = (await sheets.spreadsheets.values.get({
// See: https://docs.google.com/spreadsheets/d/1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgvE2upms/edit
spreadsheetId: '1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgvE2upms', // ID of the spreadsheet
range: 'Class Data!A2:E', // This gets all of the data in the sheet that we care about
})).data;
// Your rows/columns go into "data.values"
const rows = data.values;
});
Service account with domain-wide delegation:
The only way to avoid user interaction when accessing user private data is to use a service account with domain-wide delegation to impersonate your regular account.
That requires being a domain admin, though, so I'm not sure this option is available to you.
Sharing the spreadsheet with a service account:
Another option would be to share the spreadsheet with the service account, so you can access it using that account. Service accounts are not linked to a specific user, and so follow a different OAuth flow which doesn't require user interaction. See reference below.
Otherwise:
If you are not a domain admin and you don't want to share the spreadsheet with a service account, you are left with the web server workflow, which requires user interaction: you just cannot bypass this interaction.
I'd suggest you to read the references linked below.
Reference:
Using OAuth 2.0 for Web Server Applications
Using OAuth 2.0 for Server to Server Applications
I'm testing Azure Graph API.
and I'm trying to find an API that allows me to retrieve only users that are assigned to a specific app I created.
In app registration page, I gave a user.read.all permission, but the get user API gives me all users that are in the AD and not only that are assigned to the app I created. Should I change the permissions? or to access an another API?
Does anybody know what to do?
Thanks
Additionally, This object id should be based on service principal and not the application registration here.
You can retrieve the object Id from Azure AD->Enterprise Applications->Your app->object ID.
You need to have at least Application.Read.All and Directory.AccessAsUser.All for delegated permissions or Application.Read.All for application permission based on user or application context.
For specific details, you can add $select parameter to show only the displayName of the users assigned to the app.
https://graph.microsoft.com/v1.0/servicePrincipals/{object Id}/appRoleAssignedTo?$select=principalDisplayName
As a workaround you can use the below graph API to get the list of users.
https://graph.microsoft.com/v1.0/servicePrincipals/{ObjectID}/appRoleAssignedTo
Note: The above graph API gives the Object Types User and Service
Principle as well
As discussed in the MS Q &A Platform This endpoint currently does not support filters based on appRoleId. In fact, except that the id parameter can be filtered, the three parameters appRoleId, principalId, and resourceId do not support filtering. Similar issues have been raised before.
I'm building an ASP .Net Core web App. I use Azure ADB2C for user authentication and I would like to have an admin user, which could delete other users. I can delete users from Azure Active Directory via Azure portal, but I would like to do it directly from the app. I have created an admin account in my Active Directory tenant, and gave it global administrator permissions.
I tried to use Graph API, but I can't get it to work. I created an IAuthenticationProved according to instructions on this website:
https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS.
Then I created GraphServiceClient and tried to delete user (https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0&tabs=csharp), but I got error:
System.AggregateException: 'Returning 0 accountsts and 0 broker accountsdata provider for login.microsoftonline.com. Success? True.)'
AuthenticationException: Code: authenticationChallengeRequired
Message: Authentication challange is required.
My code looks like this:
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create("<My Client ID>")
.WithRedirectUri("<My Redirect Uri>")
.WithClientSecret("<My Client secret>")
.Build();
List<string> scopes = new List<string>();
scopes.Add("https://graph.microsoft.com/User.ReadWrite.All");
scopes.Add("https://graph.microsoft.com/Directory.ReadWrite.All");
AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication,scopes);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
graphClient.Users[<UserId>]
.Request()
.DeleteAsync()
.Wait();
Could you tell me what I'm doing wrong? Or maybe there is some other way to do it? Thank you in advance!
Your approach to use Graph API is the way to go. But the problem you are facing there is because your selected auth provider (AuthorizationCodeProvider) is not matching with the scope needed here to delete user. Looking at your code, you want 'Authorization Code' flow which means it would need a delegated scope. As mentioned in permission requirement for delete user, the 'Delegated' scope needed to delete user is Directory.AccessAsUser.All which I don't see in the code snippet you shared.
Additionally, suggest you a quick read to Choose a Microsoft Graph authentication provider based on scenario.
NOTE: To add the required delegated permission, the application registration must be either of the first two types types shown below. The third option won't give you that.
For the above you will be able to add Directory.AccessAsUser.All delegated permission.
I am developing an app for iPhone and it basically needs to connect to a Google Calendar API and download some events in the Calendar. (I am the owner of the Calendar)
All the authentication examples that I have seen from 'GTM OAuth 2' require a window for the user to enter his/her user & pass to authenticate the access to his/her Google Calendar. However, my target is a specific Calendar, which I know its username and password. I wonder if there is a way to hardcode the username and password in my Objective-C code and not asking it from the user?
I used to directly write the username and password using the previous GData Calendar API, but it seems that it does not work anymore and I get error 403 for authentication.
I appreciate it if you let me know of your suggestions.
You can save the OAuth 2 refresh token (or more simply the GTMOAuth2Authorization object's persistenceResponseString) and use that in the client app to authorize the requests. You might want a way to provide updated strings for that to the app.
I am trying to gain access to my BigQuery enabled Google API project using the .net Google APIs.
Using a console application, I am trying to authenicate first by supplying my simple API key in the URI, then just trying to get the list of projects.
The error I am receiving when I call Fetch() on the project list is: Login Required [401]
var bigqueryService = new BigqueryService{ Key = "MY-API_KEY" };
var projectList = bigqueryService.Projects.List().Fetch();
I am purposefully not using OAuth2 as we don't need any user data.
The API key simply identifies your app to the API console for quota purposes and other housekeeping. It's not authoritative for accessing BigQuery, as we do consider the BigQuery data as "user data."
If you're just trying to get an OAuth 2 access token for playing around quickly, you can use the OAuth 2 playground:
https://code.google.com/oauthplayground/
This token will be valid for one hour and can be copied/pasted as the access_token query parameter
Here's the scope for BigQuery to use in the playground:
https://www.googleapis.com/auth/bigquery
In the end, you'll either want to use the native client (out of band) flow:
https://developers.google.com/accounts/docs/OAuth2InstalledApp
Or the server-to-server (service accounts) flow:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
I don't have quick samples handy for those in .NET, but post another question on SO if you can't find them-- I'm sure someone will chip in!
You won't be able to use a simple API key - all authorization to the BigQuery API must happen via user interaction, or alternatively through a service account.