I want to get a list of courses from an audience by HTTP request, I have set the required areas in the project in Google Cloud, but I still get an error when I try to get the courses.
P.S - Please do not offer me documentation and libraries, do not try to convince me, I just need an HTTP request.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "google.classroom.v1.Courses.ListCourses",
"service": "classroom.googleapis.com"
}
}]
}
}
I tried adding ?scope=https://www.googleapis.com/auth/classroom.courses.readonly to the end of the link
Here is the request template
curl \
'https://classroom.googleapis.com/v1/courses?key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--compressed
Im going to assume that you are using courses list method
The call should look something like this in raw HTTP Request
GET https://classroom.googleapis.com/v1/courses HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
The access token ([YOUR_ACCESS_TOKEN]) you are sending must be authorized with the proper scope. If you check the documentation page for the method you are using you will see that you should have authorized the user with one of these scopes
So in your case the error Request had insufficient authentication scopes. means that when you requested authorization you did not request one of the scopes above. There for your access token has insufficient authorization scopes to make the request.
The solution is to reauthorize your user with one of the scopes required by the method in question.
You can read more about how to request authorization and what scopes are in the Using OAuth 2.0 to Access Google APIs documentation page.
Hint: Your very first in the oauth2 flow contains the scope.
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/classroom.courses&response_type=code&redirect_uri=http%3A//127.0.0.1%3A9004&client_id=client_id
This video may help you understand scopes Understanding Google OAuth 2.0 with curl since you appear to be using curl and not just raw HTTP calls.
Related
I have a couple of resources added to my Gsuite and I am managing events of these resources from APIs.
Authentication & Authorization
I have generated oAuth creds , API key from the developer console. Provided necessary Scopes.
Resource Calendar emails are shared with my Calendar from settings & sharing option in Google Calendar.
SCOPES = ['https://www.googleapis.com/auth/calendar', 'https://www.googleapis.com/auth/calendar.events']
APIs
GET APIs are working fine but when I am trying to use update/patch APIs then it is giving me the error.
I also tried using the API explorer since this here scopes/tokens are handled by Google itself so it should work fine, but NO I am getting the same 403 error in API explorer too.
Interesting thing is if I pass the wrong body in Patchcall then it will give me 400 error but with the correct body it will give me 403.
Old SO questions Answer suggested to check Scopes, Share Resource Calendar in your Google Calendar, BUt I verified all these things and they are fine. I can verify the Granted scopes from token generated responses and even from the Account Settings Third APP page.
curl --location --request PATCH 'https://www.googleapis.com/calendar/v3/calendars/my_resource.calendar.google.com/events/<event_id>>' \
--header 'Authorization: Bearer <token>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "cancelled"
}'
In above curl :
Token is of my gsuite user account > let's say user#custom_domain.com
calendarID is Gsuite Resource > my_resource.calendar.google.com
eventUId is > created from user#custom_domain.com and select my_resource.calendar.google.com as Room.
Thsi resource email my_resource.calendar.google.com is added in user#custom_domain.com Calendar. So user can manage events created on resource
But I am getting 403 error. Is there anything I am missing here in configuration ?
UPDATE
Error Message
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Forbidden"
}
],
"code": 403,
"message": "Forbidden"
}
}
I am able to successfully get a PCM authorization code and use it to get a access token but it only works once. Is that the correct behaviour? Seems like it should work indefinitely so the user does not have to continuously authorize a partner. Or once I get a access token I should only use the refresh token afterwards?
Works the first time I request a access token:
Example PCM authorization code:
4/0AY0e-e45jfjsl_KPdjke_BzKgsBirc....
╰─ curl -L -X POST 'https://www.googleapis.com/oauth2/v4/token?client_id=MY-CLIENT-ID&client_secret=MY-CLIENT_SECRET&code=MY-AUTH-CODE&grant_type=authorization_code&redirect_uri=https://www.google.com'
{
"access_token": "ya29.a0AfH6SMAgv...",
"expires_in": 3599,
"refresh_token": "1//04721e...",
"scope": "https://www.googleapis.com/auth/sdm.service",
"token_type": "Bearer"
}
On subsequent tries to use the PCM authorization code it fails. The only way to use it again is to recreate the PCM authorization code.
╰─ curl -L -X POST 'https://www.googleapis.com/oauth2/v4/token?client_id=MY-CLIENT-ID&client_secret=MY-CLIENT_SECRET&code=MY-AUTH-CODE&grant_type=authorization_code&redirect_uri=https://www.google.com'
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
As the payload mentions, the access token expires in an hour and the refresh token should be used to acquire new access tokens as per https://developers.google.com/nest/device-access/authorize.
Note that the refresh token seems to be good for only a week in the sandbox as of this post. At that point you have to re-run the authorization flow.
I am trying to access HERE API example with JetBrains with HTTP files. When I write request this way
GET https://discover.search.hereapi.com/v1/discover?at=52.5228,13.4124&q=petrol+station&limit=5
Authorization: Bearer {{API_KEY}}
I am getting an error
{
"error": "Unauthorized",
"error_description": "Token Validation Failure - unrecognized kid null"
}
And while I am accessing with
GET https://discover.search.hereapi.com/v1/discover?apiKey={{API_KEY}}&at=52.5228,13.4124&q=petrol+station&limit=5
I am getting a normal answer.
Why? Is it just wrong documentation?
Please use your bearer token generated from OAUTH, you can check this post to generate the bearer token from postman or with Python.
https://discover.search.hereapi.com/v1/discover?at=52.5228,13.4124&q=petrol+station&limit=5
Authorization: Bearer {Use your Bearer access token}
When you use "Authorization: Bearer" method don't use API_KEY, but YOUR_TOKEN that you get from OAUTH, more info in documentation https://developer.here.com/documentation/authentication/dev_guide/topics/request-constructing.html
I am trying to create a product set on Google Cloud Vision Product Search, but I am getting a Permission denied error.
The Cloud Vision API is enabled in my project and the the service account key has Owner role. So, I do not know what is going on here.
Request:
curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -H "Content-Type: application/json; charset=utf-8" --data #./request.json "https://vision.googleapis.com/v1/projects/$PROJECT/locations/$LOCATION/productSets"
Error:
{
"error": {
"code": 403,
"message": "Permission denied.",
"status": "PERMISSION_DENIED"
Would you mind helping me on this?
Thanks
Eric
I already fixed this. My problem was the project ID. I was using an incorrect one.
I have to access a private API (one of Air France flight company's API), and in order to use any of their API, I need an access token.
So in their guide, they say we need to use this cURL to get the token :
$ curl https://www.klm.com/oauthcust/oauth/token -d 'grant_type=client_credentials' -u fakeKey:fakeSecret
TERMINAL
When I execute this cURL in my terminal, and replace the fakeKey and fakeSecret (which I can't give you here unfortunately) by my own, it's working well and I got this answer (with a proper token in place of :
{
"access_token": <TOKEN>,
"token_type":"bearer",
"expires_in":3600
}
POSTMAN
When I do it in Postman, here is what I fill :
URL:
POST: https://www.klm.com/oauthcust/oauth/token
Authorization:
type: Basic Auth
Username: my secret Username
Password: my secret password
Headers:
Authorization: automatically generated from my username and password
Content-Type: application/x-www-form-urlencoded
Body
checked x-www-form-urlencoded
grant_type: client_credentials
That's all, and when I click on SEND, I got my answer and my token.
FETCH / AXIOS / HTTPRequest
So as I am not so good yet in fetching data, I used https://kigiri.github.io/fetch/ to translate from my cURL to a fetch JS method. It return me this code :
fetch("https://www.klm.com/oauthcust/oauth/token", {
body: "grant_type=client_credentials",
headers: {
Authorization: "Basic <HASH_COMPILED_FROM_USERNAME_PASSWORD>",
"Content-Type": "application/x-www-form-urlencoded"
},
method: "POST"
})
The <HASH_COMPILED_FROM_USERNAME_PASSWORD> is exactly the same as the one Postman compiled.
So this fetch seems OK for me, however on Chrome it returns a Response for preflight has invalid HTTP status code 503.
Opera is returning me Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin <MY_WEBSITE> is therefore not allowed access. The response had HTTP status code 503.
However it seems weird that the mistake come from their site, I think it's more something that I missed in my fetch request. Do you have an idea ?
Thanks !
Well, the answer finally has been : the request must come from a back-end, otherwise the response won't have anything inside it (or error 503). Thanks #sideshowbarker to your well explaining comments !