Google API Python Client - 401 Invalid Credentials - Google Drive - google-oauth

I use a Google service account to access users of an organization using directory API and then use drive API to perform certain file operations on users.
It works fine for few users and for others, the drive API call is returning the following error when trying to list the user's files (For that matter any drive API call on that user is returning the same error).
https://www.googleapis.com/drive/v2/files?alt=json&maxResults=1000 returned "Invalid Credentials">
Quoting from this this documentation about 401 error,
"Invalid authorization header. The access token you're using is either expired or invalid. Suggested action: Refresh the access token using the long-lived refresh token."
I have a valid access token which is not expired. And the user for which this error message seen is not suspended either.
Are there any other reasons as to why Google sends this error?

Related

SonarQube api api/project_analyses/search fails with 403 "msg": "Insufficient privileges" yet API key user is admin

I am accessing the SonarQube API through API key as described in https://docs.sonarqube.org/latest/extension-guide/web-api/
A call to /api/components/search_projects works.
A call to /api/project_analyses/search?project=PJ fails with http error code 403
If I log into the web interface with that user, I can browse the statistics. In fact Chromes F12 debug shows that it's calling the same api function /api/project_analyses/search yet with session cookie, xrfs-token etc. and the call succeeds.
What am I missing to be able to retrieve project statistics through the API?
The token used is created by the user which has sufficient permission for the project PJ
You need to check the permission and generate new token accordingly.

Using API token to access the CPanel UAPI returns access denied

I am trying to dynamically create email accounts for users via the CPanel API. According to the documentation here, an access token can be used to call the API endpoints. I have an access token generated already but I keep getting acccess denied. I already tried generating another access token just incase the first one was wrong but Its still the same error.
My curl command is in this format as specified in the docs:
curl -H'Authorization: cpanel username:U7HMR63FHY282DQZ4H5BIH16JLYSO01M' 'https://example.com:2083/execute/Email/add_pop?email=newuser&password=12345luggage'
What could I be doing wrong please ?

Facebook graph api get the user's infomation

I want to make a website which users can see their posted pictures on the page.
I have signed up for facebook API and have an app id and app secret.
https://graph.facebook.com/oauth/access_token?client_id={#}&client_secret={#}&grant_type=client_credentials
I send users to the oauth to get the user's access token but I don't know what to do next.
https://graph.facebook.com/v3.0/me?fields=id,name,posts&access_token={#}
I thought this would work but I had the error below
"An active access token must be used to query information about the current user.",
The URL you are using to get the Access Token is actually an App Token API.
To generate the Access Token Please replace
https://graph.facebook.com/oauth/access_token?client_id={#}&client_secret={#}&grant_type=client_credentials
with
https://www.facebook.com/v3.0/dialog/oauth?response_type=token&client_id={#id}&redirect_uri={#}&scope=publish_pages
add a redirection url here where the token is published.
OR
better option is to use the login button mentioned here.
https://developers.facebook.com/docs/facebook-login/web/login-button
Also you can read here about all Access Tokens
https://developers.facebook.com/docs/facebook-login/access-tokens/

Gmail label request fails with http 403 (forbidden)

I have an application that uses OAuth 2 to access Gmail. This is working fine for most users. For some users, however, my application fails at the point of trying to read the Gmail labels, with http error 403 (forbidden). Keep in mind that previous to this API call, I have accessed the user profile successfully. Here is the call that fails:
GET /gmail/v1/users/user.name#domain.com/labels?access_token=ya29.fwI_zL1rF3xOIQcHNzpBhmjVlJhRpofkh4a9mVvwhYRo6H09qX5RNKv76zKT7e6-sEZr
I am requesting the following scopes when getting the access token, and the user has logged in to Google and accepted the request for access (and I can see this when we look at his security dashboard):
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/userinfo.profile
https://www.google.com/m8/feeds
https://www.googleapis.com/auth/tasks
https://www.googleapis.com/auth/gmail.labels
https://mail.google.com/
Note that I just added the gmail.labels scope in at attempt to fix this.
Again, this code is working fine for most users - why do some users fail the label request?
Use the shorthand value me instead of user.name#domain.com and the user who the access token belongs to will be used automatically.

GoogleCredential OAuth access token invalid_grant error

I'm trying to acquire a 2 legged oauth2 access token for google's storage api through a service account.
The relevant documentation is contained here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I first tried attempted to acquire the token through their HTTP/REST api. I eventually gave up being unable to get past a 400 response with the following details:
{ "error" : "invalid_grant" }
I then turned to the recommended method: using the java Google api client library (I'm using scala).
val credentialBuilder = new GoogleCredential.Builder()
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setJsonFactory(JacksonFactory.getDefaultInstance())
.setServiceAccountId(Configuration.GoogleAPI.ServiceAccount.email)
.setServiceAccountPrivateKeyFromP12File(new File(Configuration.GoogleAPI.ServiceAccount.pkcs12))
.setServiceAccountScopes(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL))
def updateToken = {
val credential = credentialBuilder.build()
credential.refreshToken()
// ... do stuff here with token
}
Running the above, I get a TokenResponseException, with a payload identical to the error I was getting directly accessing the REST api. 400 Bad Request, invalid_grant error.
Doing some research (on both stackoverflow and elsewhere), I find that the most common reasons for this error message are:
1) The local clock is not synced with Google's servers. I suspected this even back when I was using the REST api because I've encountered this issue for other services before. I'm fairly sure its not a clock issue however, because I have repeatedly synced my clocks with an external ntp server:
sudo ntpdate -s ntp.ubuntu.com
2) The other common cause for this error is setting the service account client ID incorrectly. Most people set it to their service account client id (ending with "apps.googleusercontent.com") instead of their service account client email. Its pretty clear that this isn't the problem, since I'm correctly pointing to the email (the docs instructed this, so I followed the directions), ending with "#developer.gserviceaccount.com".
I'm stuck. I've checked the user documentation, the javadocs, various forums. The error message isn't very helpful (probably designed that way, since it's a security endpoint).
What other possible causes for this error exist? What can I do to get my service account access token?
If you are using OAuth2.0 to access a google analytics account then there could be one more reason of getting invalid_grant. As per developer docs:
If the application attempts to use an invalidated refresh token, an
invalid_grant error response is returned. The limit for each unique
pair of OAuth 2.0 client and Google Analytics account is 25 refresh
tokens (note that this limit is subject to change). If the application
continues to request refresh tokens for the same Client/Account pair,
once the 26th token is issued, the 1st refresh token that was
previously issued will become invalid. The 27th requested refresh
token would invalidate the 2nd previously issued token and so on.