As we know Super administrators also have full access to all users' calendars and calendar event details.
I found these API's
https://developers.google.com/google-apps/calendar/v3/reference/ which can be used to retrieve calendar's related to a user.
i read google docs api
for getting information about a current user we use default
https://docs.google.com/feeds/default/...
and for getting information about other user in the same domain
https://docs.google.com/feeds/user#yourdomain.com/...
we have to replace default with user's email address.
but in calendar's api for accessing list of current user's calendar's list
we use this url
https://www.googleapis.com/calendar/v3/users/me/calendarList
if current user is an administrator and i have to retrieve list of calendar of other user in the same domain then how to retrieve that list
i tried to call https://www.googleapis.com/calendar/v3/users/rashmi#riteshmehandiratta.com/calendarList
response is Not Found.riteshmehandiratta.com is my domain and rashmi is a user so email address is rashmi#riteshmehandiratta.com i authorize my app by super administrator and successfully get access token and putting header
Authorization with OAuth anonymous_access_token so there is no problem with authorization part of url.
can any one please help how to retrieve other user's calendar list in the same domain by super administrator via api call?plz.. plz.. help
Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
I'm integrating some of our company's internal applications to use our GSuite instance for authenticating our employees when they log in, using GSuite's support for Open ID Connect.
However, our applications uniquely identify the users using our internal "employee ID" to log in, instead of our GSuite email address. I see that it is possible to store/manage an "employee ID" within gsuite, however I'm not sure how I can retrieve this information after the user has successfully authenticated.
Currently, I'm getting back a list of "claims" from the userinfo endpoint, but these claims only include the name and email address of the user. I also need the phone number and employee ID which we've configured on GSuite.
Is it a matter of requesting additional scopes to start off with? Or do I need to make a separate request to retrieve the additional user information?
I see that there is an Admin Directory API but it appears that would be for accessing the information of ALL users within the domain, whereas I'm only interested the extended details of the CURRENT user.
Ultimately, I created a service account with scope https://www.googleapis.com/auth/admin.directory.user.readonly to call GET https://www.googleapis.com/admin/directory/v1/users/<current_user>. I had to delegate domain-wide authority to the service account, as well set it up to impersonate an admin user.
It seems like overkill, since I only need extended details of the current user, for which I already have an OAuth2 access token.
I found this question quite helpful in resolving the issue.
If anyone can provide an answer that makes use of the OAuth2 access token, I'd still appreciate it
I'm making a website for a football club. they have one google calender (and just one google account). on the website I'd like to have a list of upcoming events. So I've to access to Google Calendar via Google API. For Authorisation I've to use OAuth2. Is it possible to login with OAuth2 automatically so that the website visitors don't have login always via redirect (to google login site)? For example I make a the login via Java, instead of a user login? Because it's no so comfortable if every user of the website have to login, for just viewing the club calendar.
Not sure it is possible,
Important note concerning your design: if you login automatically to the club's account, it means that everyone that uses this website is logged in to Google Calendar on behalf of the club's user name. hence, everyone can CHANGE the calendar, delete events, etc.
Are you sure you want this to happen?
(you can set the login params to "read-only", but even then, it means that the club shows ALL his calendar to everyone. there is no privacy...)
I suggest that every user logins with his own creds, and the club's calendar can invite all registered users to his events....
Of course, you can do it, and even without giving the access to the visitor if you're doing this on the server side.
You need to do a initial step by hand.
After this step you get a refresh token, with this token you can regenerate the access token which you need to access to the calendar API, for instance to get the upcoming events.
You need to regenerate the access token if the previous access token is expired. In this case you also get an new refresh token. You need to save it, into a database or JSON file.
To get a refresh token you need to pass this options on authorization:
access_type: "offline"
approval_prompt: "force"
Without these options you only get an access token, no refresh token.
Here is the documentation: https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl
And here a kind of tutorial: http://www.tqis.com/eloquency/googlecalendar.htm
I am currently developing an app using the Google places API..
https://developers.google.com/places/documentation/
I want to use the Events methods, so that a Place/Business owner can add events..
https://developers.google.com/places/documentation/actions#event_intro
However I obviously need to restrict it, so that only the Business owner can create events for their Business. Is there anyway of authenticating a user via a Google api, to confirm that they are the Place owner? I looked at Google+ however there is no reference to any 'Places' setup by that user in the people request.
Looks like this is possible now. The workflow would be the following:
Your user triggers a places search and selects a specific place in the result
Your user selects an option in your app to claim they are the owner of your place
Your user is redirected into an OAuth flow to Google Places where they login with their Google credentials
Once authenticated, your app is provided with an OAuth token for the user
Your app submits that token along with a Place reference to a Places API owner verification service
The Places API returns a yes/no as to whether the user concerned is the verified owner of the Place
Source - https://code.google.com/p/gmaps-api-issues/issues/detail?id=3894 - comment #3
Enjoy!
When passing Api request to this URL
https://www.google.com/m8/feeds/contacts/default/full
A screen comes requesting this permissions. Is there any URL that just only asks user to "retrieve you contacts" instead of managing it.
SHOPBOX.IO is requesting permission to:
Manage your contacts
Perform these operations when I'm not using the application
The permissions the user is asked for at the authorization screen is dependent on the scope that you specify. Of course for accessing different endpoints you have to request certain scopes.
For accessing the Google's Contacts API this scope is required:
https://www.google.com/m8/feeds - read/write access to Contacts and Contact Groups
As this is your only option and there is no read-only scope available, the user gets warned that you could edit his contacts, even if you won't do that.