I am trying to make test request from
big-query docs
It works correctly when I use oauth2, but if I use api-key response is
"code": 401, "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.".
Any ideas?
I'm not entirely sure why Google have added that option to the API explorer in BigQuery. My best guess it that it allows you to inspect the network request to the API, and then add your own API key for testing.
That said however, API keys won't work with BigQuery anyway. You need to use a service account instead.
https://support.google.com/cloud/answer/6158857?hl=en
Use an API key when your application is running on a server and
accessing one of the following kinds of data:
Data that the data owner has identified as public, such as a public
calendar or blog. Data that is owned by a Google service such as
Google Maps or Google Translate. (Access limitations might apply.)
Related
I can't generate an access token because apparently the scopes I have provided aren't authorized.
I have created api credentials for the sandbox environment and have followed the steps in the documentation to encode them in the request for an access token (https://developer.ebay.com/api-docs/static/oauth-client-credentials-grant.html), and I have experimented with first providing all of my application's scopes in the request and then being more selective (https://developer.ebay.com/api-docs/static/oauth-scopes.html#specifying-scopes), but nothing seems to work.
I then found this post (https://forums.developer.ebay.com/questions/23495/application-token-exceeds-the-scope-granted-to-the.html) which suggested using the api explorer (https://developer.ebay.com/my/api_test_tool?index=0&env=sandbox&api=fulfillment&call=order-orderid__GET&variation=json) to generate an access token, but my request was denied with that token as well.
Does anyone know which scopes I have to provide in order to get this access token?
Scope depends on the APIs you want to use once you have the access_token.
I Usually list all scopes so to be able to use any APIs
Intro
So I have read official docs Authenticating for invocation which is about helping developer testing and I got that working, but this approach requires a SA and a generated token. It seems the docs mix up "authentication" (proving identity) and "authorization" (giving access) which is not making it easier to get the whole picture.
I want to authorize Google Cloud Function with the user's ID token generated from Identity Platform. The official Firebase docs says:
"When a user or device signs in using Firebase Authentication, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Realtime Database and Cloud Storage. You can re-use that ID token to authenticate the Realtime Database REST API and make requests on behalf of that user."
My setup
I got the following artifacts to test function authorization with user:
A local React app with npm 'firebase' and a login form calling firebase.auth().signInWithEmailAndPassword.
firebase is initialized with config fields apiKey and authDomain.
An Express API deployed to Cloud Functions with default permissions, but I've provided the cloudbuild file with --allow-unauthenticated as an attempt to only focus on authorization.
A local Postman request setup calling the Express API with authorization type=Bearer Token and token set to the ID token received in the React app's onAuthStateChanged from user.getIdToken()
The Postman request responds with 401 Unauthorized. Notice it says Unauthorized, not 403 Forbidden.
Research
When reading up on the topic, I came across the following approaches to solve my problem:
Fetch the user id from the token and push it to a custom backend service which does admin.auth().setCustomUserClaims and then do the function request. GC should then hopefully know about the token's new claims.
Also about claims; generate a new token (based on current ID token?) and set claims.aud to the URL of the function. The ID token I'm using has claims.aud=projectname which I'm not sure what means.
Verify token in function code by using firebase admin. But the authorization of access is still not performed, so this approach seems to miss something.
What is required?
I suppose authentication is ok, Google Cloud should recognize the bearer token (?) but I've also read that there's no built-in functionality for this. Anyway, the authorization part is less clear to me when it comes to function requests on user level.
To summarize:
How should we authorize an ID token from Identity Platform to Google Cloud Functions? Could any of the three above-mentioned approaches be used?
I am unable to create an OpenID Connect identity token to send as bearer token for a cloud run request. From the apps script I cannot make a token using (ScriptApp.getIdentityToken()) which has an audience the Google front end will allow through. When I arrange for the script to send a token instead that I've made with gcloud print-identity-token--identical except for the audience--that invocation succeeds.
Note I believe this may the same issue as seen here: Securely calling a Google Cloud Function via a Google Apps Script.
Also google cloud authentication with bearer token via nodejs.
One workaround suggests restructuring the GCP/Apps Script projects. Others mostly use service accounts, and use service account keys. I believe it's possible using IAM and use of google auth for one to produce a usable SA identity token (short term service account credentials) but I can't demonstrate it.
I am working around this currently, but I'd like to understand the essential problem. I think it has something to do with the cloud run service's hosting project's Oauth consent screen, and the inability to add the associated web application client-id as a scope.
In the Cloud Run docs, there is a section about performing authenticated calls to Cloud Run from other services outside GCP. The process would be the following:
Self-sign a service account JWT with the target_audience claim set to the URL of the receiving service.
Exchange the self-signed JWT for a Google-signed ID token, which should have the aud claim set to the above URL.
Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the service.
Step 1 could be performed as described here while setting the aud claim to the URL of the receiving service. I believe ScriptApp.getIdentityToken() does not set the proper audience to the JWT
For step 2, I believe you should perform a POST request to https://oauth2.googleapis.com/token with the appropriate parameters grant_type and assertion. This is explained in the "Making the access token request" section here
The resulting token should be used in step 3
I just wrote an article on that topic and I provide an easy way based on the service account credential API. Let's have a look on it and we can discuss further if required.
I need a help. I have a project in google api, but i don't know how to open access in google spreadsheet for a project. So which gmail i need to open access?
Thanks!
You may refer with this documentation.
Every request your application sends to the Google Sheets API needs to identify your application to Google. There are two ways to identify your application: using an OAuth 2.0 token (which also authorizes the request) and/or using the application's API key. Here's how to determine which of those options to use:
If the request requires authorization (such as a request for an individual's private data), then the application must provide an [OAuth 2.0 token with the request. The application may also provide the API key, but it doesn't have to.
If the request doesn't require authorization (such as a request for public data), then the application must provide either the API key or an OAuth 2.0 token, or both—whatever option is most convenient for you.
Here are some examples and quickstart.
I requested RefreshToken from my customer to develop a web page for them by using google adwords Api. They responded my request like that ->
There is no need for Refresh Token to use Google Adwords Api.
Could you please answer me if it is possible or not? If it is possible how we can use Google Adwords Api without RefreshToken?
You only need an access token to access the adwords api that will expire after an hour. You could probably use a service account authentication. If they do give you a refreshToken remember you will also need the client id and secret used to create it in order to get the access token.
It is a also against Google terms of use to share the client credentials. You will need to create your own project and have them authenticate it when they need to access their data. You will then have a refreshToken.