I have a couple of resources added to my Gsuite and I am managing events of these resources from APIs.
Authentication & Authorization
I have generated oAuth creds , API key from the developer console. Provided necessary Scopes.
Resource Calendar emails are shared with my Calendar from settings & sharing option in Google Calendar.
SCOPES = ['https://www.googleapis.com/auth/calendar', 'https://www.googleapis.com/auth/calendar.events']
APIs
GET APIs are working fine but when I am trying to use update/patch APIs then it is giving me the error.
I also tried using the API explorer since this here scopes/tokens are handled by Google itself so it should work fine, but NO I am getting the same 403 error in API explorer too.
Interesting thing is if I pass the wrong body in Patchcall then it will give me 400 error but with the correct body it will give me 403.
Old SO questions Answer suggested to check Scopes, Share Resource Calendar in your Google Calendar, BUt I verified all these things and they are fine. I can verify the Granted scopes from token generated responses and even from the Account Settings Third APP page.
curl --location --request PATCH 'https://www.googleapis.com/calendar/v3/calendars/my_resource.calendar.google.com/events/<event_id>>' \
--header 'Authorization: Bearer <token>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "cancelled"
}'
In above curl :
Token is of my gsuite user account > let's say user#custom_domain.com
calendarID is Gsuite Resource > my_resource.calendar.google.com
eventUId is > created from user#custom_domain.com and select my_resource.calendar.google.com as Room.
Thsi resource email my_resource.calendar.google.com is added in user#custom_domain.com Calendar. So user can manage events created on resource
But I am getting 403 error. Is there anything I am missing here in configuration ?
UPDATE
Error Message
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Forbidden"
}
],
"code": 403,
"message": "Forbidden"
}
}
Related
We are fetching all posts by author in the LinkedIn Rest API. We are using a projection to enrich the author with things like name and logo. Here is the query:
curl "https://api.linkedin.com/rest/posts?author={MY_ORG}&q=author&count=50&projection=(elements(*(*,author~(vanityName,localizedName,logoV2(*,cropped~:playableStreams(*,elements*(identifiers*(identifier))))))))" \
-H "LinkedIn-Version: 202212" \
-H "Authorization: .."
This works fine, however if I change to LinkedIn-Version: 202301 I get this response:
{
"status": 400,
"code": "ILLEGAL_ARGUMENT",
"message": "projection parameter is not allowed for this endpoint"
}
Is this documented anywhere? How do I get the author's details instead?
You could look at the returned author field and determine if it is of the format:
PersonURN: /^urn:li:person:[a-z0-9]+$/i
Organization urn: /^urn:li:organization:[0-9]+$/
For organizations use the organization lookup API You cannot use the organization endpoint for it.
For persons use the profile API
I want to get a list of courses from an audience by HTTP request, I have set the required areas in the project in Google Cloud, but I still get an error when I try to get the courses.
P.S - Please do not offer me documentation and libraries, do not try to convince me, I just need an HTTP request.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "google.classroom.v1.Courses.ListCourses",
"service": "classroom.googleapis.com"
}
}]
}
}
I tried adding ?scope=https://www.googleapis.com/auth/classroom.courses.readonly to the end of the link
Here is the request template
curl \
'https://classroom.googleapis.com/v1/courses?key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--compressed
Im going to assume that you are using courses list method
The call should look something like this in raw HTTP Request
GET https://classroom.googleapis.com/v1/courses HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
The access token ([YOUR_ACCESS_TOKEN]) you are sending must be authorized with the proper scope. If you check the documentation page for the method you are using you will see that you should have authorized the user with one of these scopes
So in your case the error Request had insufficient authentication scopes. means that when you requested authorization you did not request one of the scopes above. There for your access token has insufficient authorization scopes to make the request.
The solution is to reauthorize your user with one of the scopes required by the method in question.
You can read more about how to request authorization and what scopes are in the Using OAuth 2.0 to Access Google APIs documentation page.
Hint: Your very first in the oauth2 flow contains the scope.
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/classroom.courses&response_type=code&redirect_uri=http%3A//127.0.0.1%3A9004&client_id=client_id
This video may help you understand scopes Understanding Google OAuth 2.0 with curl since you appear to be using curl and not just raw HTTP calls.
I'm trying to use the Linkedin standardized data APIs. But its not clear how to permission myself to this via the Developer Portal.
https://learn.microsoft.com/en-us/linkedin/shared/references/v2/standardized-data/titles#get_all
curl -X GET https://api.linkedin.com/v2/titles -H 'Authorization: Bearer BEARER_TOKEN'
Returns:
{"serviceErrorCode":100,"message":"Not enough permissions to access: GET /titles","status":403}
Whereas
curl -X GET https://api.linkedin.com/v2/me -H 'Authorization: Bearer BEARER_TOKEN'
Returns
HTTP/1.1 200 OK
With Payload
Looks like LinkedIn needs to enable the client_credentials flow but not obvious where to request this: linkedin "this application is not allowed to create application tokens" ?
I have created an application in the developer portal in WSO2 and am trying to generate a token using this curl command:
curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=password&username=alex&password=alex123&scope=somescope" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
But I get the below response:
180{"error_description":"A valid OAuth client could not be found for client_id: ClientId","error":"invalid_client"}
I have tried also the following command :
curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=client_credentials&client_id=&client_secret=" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
But with no success, I can generate the token from the devportal no problem but while executing it does not recognize the client for some reason. Could someone tell me what might be the problem for this.
You are missing the client id and secret in the Authorization header. You need to base64 encode client id and secret.
curl -k -X POST https://localhost:9443/oauth2/token -d "grant_type=password&username=Username&password=Password" -H "Authorization: Basic Base64(clientid:client_secret)"
curl -k -X POST https://localhost:9443/oauth2/token -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic VjhZRVdfUldISURZb0hJSU5yOTczVEhqYnBnYTpyVGg4N1VhUERPdGFlN25GUFFLc1pCR2FJdm9h"
So I kinda half solved it because it is still not giving me the desired behavior. In carbon port 9444 I added a user and assigned it roles to the application that I want the token and when executed the curl i got the token did the same thing for carbon but with port 9443 and it still displays as
180{"error_description":"A valid OAuth client could not be found for client_id: ClientId","error":"invalid_client"}
Is there a reason for this?
The following are the complete steps on registering an application in devportal, generating the client credentials, generating the access token, and using the access token to invoke the API calls. Please note that all these steps are achieved via the wso2am-3.2.0 devportal REST API calls.
WSO2 REST APIs are protected using OAuth2 and access control is achieved through scopes. Before you start invoking the API, you need to obtain an access token with the required scopes. This guide will walk you through the steps that you will need to follow to obtain an access token. First, you need to obtain the consumer key/secret key pair by calling the dynamic client registration (DCR) endpoint. You can add your preferred grant types to the payload. A Sample payload is shown below.
{
"callbackUrl":"www.google.lk",
"clientName":"rest_api_devportal",
"owner":"admin",
"grantType":"client_credentials password refresh_token",
"saasApp":true
}
Create a file (payload.json) with the above sample payload, and use the cURL shown below to invoke the DCR endpoint. The authorization header of this should contain the base64 encoded admin username and password. Format of the request
curl -X POST -H "Authorization: Basic Base64(admin_username:admin_password)" -H "Content-Type: application/json" -d #payload.json https://<host>:<servlet_port>/client-registration/v0.17/register
Following is a sample response after invoking the above curl.
{
"clientId": "fOCi4vNJ59PpHucC2CAYfYuADdMa",
"clientName": "rest_api_store",
"callBackURL": "www.google.lk",
"clientSecret": "a4FwHlq0iCIKVs2MPIIDnepZnYMa",
"isSaasApplication": true,
"appOwner": "admin",
"jsonString": "{\"grant_types\":\"client_credentials password refresh_token\",\"redirect_uris\":\"www.google.lk\",\"client_name\":\"rest_api_devportal\"}",
"jsonAppAttribute": "{}",
"tokenType": null
}
Next, you must use the above client id and the secret to obtain the access token. We will be using the password grant type for this, you can use any grant type you desire. You also need to add the proper scope when getting the access token. All possible scopes for devportal REST API can be viewed in the OAuth2 Security section of this document and the scope for each resource is given in the authorization section of resource documentation. Following is the format of the request if you are using the password grant type.
curl -k -d "grant_type=password&username=<admin_username>&password=<admin_password>&scope=<scopes separated by space>" -H "Authorization: Basic base64(cliet_id:client_secret)" https://<host>:<gateway_port>/token
Shown below is a sample response to the above request.
{
"access_token": "e79bda48-3406-3178-acce-f6e4dbdcbb12",
"refresh_token": "a757795d-e69f-38b8-bd85-9aded677a97c",
"scope": "apim:subscribe apim:api_key",
"token_type": "Bearer",
"expires_in": 3600
}
Now you have a valid access token, which you can use to invoke an API. Navigate through the API descriptions to find the required API, obtain an access token as described above and invoke the API with the authentication header. If you use a different authentication mechanism, this process may change.
For further details please refer https://apim.docs.wso2.com/en/3.2.0/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#section/Authentication
I am trying to create a product set on Google Cloud Vision Product Search, but I am getting a Permission denied error.
The Cloud Vision API is enabled in my project and the the service account key has Owner role. So, I do not know what is going on here.
Request:
curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -H "Content-Type: application/json; charset=utf-8" --data #./request.json "https://vision.googleapis.com/v1/projects/$PROJECT/locations/$LOCATION/productSets"
Error:
{
"error": {
"code": 403,
"message": "Permission denied.",
"status": "PERMISSION_DENIED"
Would you mind helping me on this?
Thanks
Eric
I already fixed this. My problem was the project ID. I was using an incorrect one.