It seems that some services aren't supporting 'oauth for devices' (pin-based oauth). This is a bit of a big deal for those of us who work at the command-line console.
However, some very important google scopes, like gdrive and google-plus, don't seem to. For example:
https://www.googleapis.com/auth/plus.login
doesn't work. It returns 'HTTP/1.1 400 Bad Request' and the JSON error 'invalid scope: not authorized to request the scopes'
I'd include more scopes, but stack overflow says I need +10 reputation to post links.
Is pin-based oauth disabled for services like blogger, gdrive and google-plus, or do I have the wrong scopes?
regards,
Colum
Indeed, the scopes you describe are not currently enabled for OAuth2 for devices (PIN-based OAuth).
As breno answered, only a part of the scopes are supported by OAuth2.0 for devices with limited input capabilities.
The followings is my result with YouTube Data API v3 scopes (as of July, 2014).
I share it so that other people can find this Q&A more easily and escape from the trap.
Works:
auth/youtube
Fails with "Bad Request(400)"
auth/youtube.readonly
auth/youtube.upload
auth/youtubepartner
auth/youtubepartner-channel-audit
This question and breno's answer saved me from searching in vain for the cause of the problem. Thanks.
Related
I found this tool from google recently https://developers.google.com/oauthplayground/
and well I am currently doing an authentication practice for an api with node and passpor.js, I would like to know which of these apis is the one that I should choose to obtain a token with the user, the email and the profile photo, in the tutorial I saw that use https://www.googleapis.com/auth/userinfo.profile, so I don't know if it is depreciated or has been replaced by a new one, or if it is something that can be used in production.
And well also if you could explain a little more about what this tool is, I would appreciate it a lot.
On OAuth Playground you can "input your own scope".
Copy and paste https://www.googleapis.com/auth/userinfo.profile and click Authorize APIs.
Then exchange for an access token.
After that you can call https://www.googleapis.com/oauth2/v2/userinfo and it should return the data you are looking for.
I want to develop a tool to access user's google info. it requires the full account access, I found a app can request for the permission. But I cannot find the scope in OAuth 2.0 Scopes for Google APIs.
How could I do this? what is the full account access scope?
I develop this tool for myself, not would be used by others.
As far as I know there is not any scope that can request full access like you want. And my guess is that even if it existed before it was removed due to obvious security reasons. I have also searched for some examples of this scope but I could not find any.
In other words, if I were you I would use multiple scopes for each specific task I need to implement. Hope it helps.
It can be some undocumented flow, maybe with https://www.google.com/accounts/OAuthLogin scope. Maybe it is an old screenshot and app from the screenshot was using now deprecated OAuth 1.0.
There was one issue, which seems to be similar: https://searchsecurity.techtarget.com/news/450300257/Pokemon-GO-reveals-full-account-access-flaw-for-Google-authentication
I'm implementing the Socrata API to be able to parse publicly-available data from the City of Chicago open data set. I am really just concerned about the data itself, so I did not initially think that I would need to implement OAuth2 through an app exposed via ngrok to be able to GET the data.
My initial attempt was to take the GET requests mentioned in their documentation and try to get responses through Postman.
Here's an example of such an attempt:
I also added my Socrata App Token as a param in the querystring, but the same message was shown.
So I tell myself, ok, maybe they deprecated GET requests without making the client go through OAuth2. If they didn't deprecate these GET requests, I would prefer not to have to deal with OAuth2, but I began implementing the authentication process and everything went successfully until I got to the following instructions found here:
I have every single value that needs to be included in that POST request except for 'authorization_type'. Where does this come from? I tried leaving 'authorization_type' in as a string, but received a response similar to the 'Invalid username or password' message in the top image in this question.
Are you only accessing public datasets from Chicago's data portal? From your screenshot it looks like you're trying to access the Building Permits dataset, which is public.
Authentication is only required for modifying datasets or accessing private data, so chances are very good you don't even need to authenticate. Just include an application token with your request for throttling purposes.
Glad to help you figure out your OAuth workflow, but it sounds like it might be unnecessary.
I assume workflow for OAuth is very similar in various sites. (twitter, linkedin)
I can successfully get requestToken, accessToken.
Is it okay, if I just store Accesstoken and use it later???
Yes, this is the generally accepted practice. I use this workflow on a few sites and based on the posts on the LinkedIn Developer's site, it looks like the method that most people are using.
The only trick is to cover yourself in the case that the user rejects your application's access rights; filter all responses from the LinkedIn API looking for an error indicating that the access token is no longer valid (you should be doing this filtering anyways for throttling issues).
The tool I'm developing would do a thing similar to when you join Facebook and they ask your GMail username and password and with it they can grab all your contacts.
But my tool doesn't use a browser, therefore it is difficult to get the proper headers. I assume that the Google application (Orkut) checks only my Cookies and Identity(ip, machine name, user-agent) as authentication method. In this case all I need is to get the proper cookies.
I tried to call https://www.google.com/accounts/ServiceLoginAuth?service=orkut with the parameters Passwd=realPasswordHere&Email=mymail#gmail.com . But the response was a similar HTML with Set-Cookie: GALX=A9iBuq7y5xU;Path=/accounts;Secure
None of these cookies are the real thing. Have you tried it yourself? Do you know how to do it? Have you ever seen an open source project that does it?
Consider using OAuth -- the URL I just gave details how to use OAuth to authorize the OpenSocial REST interface on Orkut, and this one has detailed specs on the RPC interface to OpenSocial, if that's what you prefer (the authorization part is basically the same, anyway).
If you are just looking for the contacts check out the provided API:
http://code.google.com/apis/contacts/
other google APIs
http://code.google.com/apis/gdata/
If you need source code to view how to do this you can check out the following project.
http://sourceforge.net/projects/gccontactman/
hope that helps, and good luck!
Perhaps you could check the source code of a Google tool that does this:
http://mail.google.com/mail/help/email_uploader.html