I am trying to get the list of chrome devices registered with the specified customer Id.
I have done the following Steps.
Enabled Google Admin Directory API
Created Service Account and downloaded the jwt.json file for
connectivity.
Enabled the Domain wide G-Suite Delegation previlige.
Registered this client id as authorized API client Thru Google
Admin(Manage API client access)
Client Id : our clientid
API Scope: View and manage your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos View your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
Next I used my Node module to Generate the JWT access
Token is created Successfully.
{"access_token":"ya29.c.KpEB****K*********lufaGlx5k********hvAdADxBhOA****8R3rnTPKKnVb97sdPFG66wHy4FPrnx6KskafKXrBBfEgILdDelP-n5irpKm5h8y8oBWHO*******Xg","token_type":"Bearer","expiry_date":1587150649000,"refresh_token":"jwt-placeholder"}
Now i am trying to use this Bearer toke to access the following API
https://www.googleapis.com/admin/directory/v1/customer/ourcustomerid/devices/chromeos
This is always giving the following error.
{
"error": {
"errors": [{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Not sure what is the issue.
Its working after adding Impersonated users email address... Originally it was
const jwtAuth = new google.auth.JWT(
quickstart.client_email,
null,
quickstart.private_key,
[
'https://www.googleapis.com/auth/admin.directory.device.chromeos',
'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
]
);
Then I have added the subject as impersonated users email address.
const jwtAuth = new google.auth.JWT(
quickstart.client_email,
null,
quickstart.private_key,
[
'https://www.googleapis.com/auth/admin.directory.device.chromeos',
'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
],
'email address of the impersonated user',
);
Related
I'm trying to use Google API to invite managers to my business profile account
My role is "OWNER" and I try to invite someone by email
I used OAuth playground tool to achieve that.
scope: https://www.googleapis.com/auth/business.manage
method: POST
URL: https://mybusinessaccountmanagement.googleapis.com/v1/accounts/108463676430689610134/admins
request body:
{
"role": "MANAGER",
"admin": "mina.zakaria.zakher#gmail.com"
}
response body
{
"error": {
"status": "PERMISSION_DENIED",
"message": "The caller does not have permission",
"code": 403
}
}
I don't know why permission denied while I could add the same email using dashboard? any help?
Inviting others as admins is only supported for accounts that are not of AccountType PERSONAL.
Personal account:
Location group account (where a user could invite others via the group settings capability):
I'm using the google cloud storage node.js client sdk, and I want to set permissions to an uploaded object from Node.js.
For instance, I want only authenticated users (I manage authentication/authorization myself) to be able to access certain files, and other files to be publicly available, But can't understand how to achieve that.
This is what I want to achieve
const myBucket = storage.bucket('files_bucket')
const fileRef = myBucket.file('some_file.pdf')
// Here I authenticate the user
const [isAuthenticated, user] = await authenticate(username, password)
if (!isAuthenticated) {
// The only method I found of making file public, doesnt seem to work
await fileRef.makePublic()
} else {
const userRole = user.role // either 'admin' or 'client'
// How can I make this file private to all users with certain role
await fileRef.makePrivate()
}
Btw, makePublic doesnt seem to make the file public, because once i try to access its URL, i get
{
"error": {
"code": 401,
"message": "Anonymous caller does not have storage.objects.getIamPolicy access to the Google Cloud Storage object.",
"errors": [
{
"message": "Anonymous caller does not have storage.objects.getIamPolicy access to the Google Cloud Storage object.",
"domain": "global",
"reason": "required",
"locationType": "header",
"location": "Authorization"
}
]
}
}
As mentioned in the comments you are not using Cloud Storage Authentication nor Google OAuth2 service, and therefore your user appears as an Anonymous caller to Cloud Storage, which is not allowed to access your resources and service is denied.
It is possible to do this without using direct authentication with Google for your users, therefore managing authentication/authorization by yourself, but when trying to access GCS resources (or other GCP products for that matter) you are going to need to inpersonate a service account to appear as an authenticated caller for GCS, the logic behind autorization to particular files will be up to your code at this point.
In order to setup access through a service account for the GCS library you can use these instructions in the documentation.
I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api
I encountered a new issue today when I tried to send a request with my new production account and the integrator key, newly promoted to Live status.
The API login succeeded, and it returns my AccountID.
However, when I try to create an envelope with envelopesApi.CreateEnvelope API call, I received the following error.
I tested the code with my demo account and key, couple of days ago. It was working fine. I think it is related to the key, because the login request was succeed.
DocuSign.eSign.Client.ApiException: 'Error calling CreateEnvelope: {
"errorCode": "USER_AUTHENTICATION_FAILED",
"message": "One or both of Username and Password are invalid."
}
Please let me know if there is anything else I need to do.
Often when the USER_AUTHENTICATION_FAILED error is received and you are positive the correct user/pwd combo is being provided it's because of the wrong account endpoint being accessed.
You need to parse sub-domain of the baseUrl that is returned from the Login API (property is called base_uri if using OAuth2) and configure your api client with that sub-domain.
When testing in demo it's ok if you miss this step since all accounts are under the demo.docusign.net sub-domain, however in production there are multiple sub-domains (ie. www, na2, eu, etc) so you need to re-configure once right after authentication.
Example:
The response to the Authentication: login API looks like:
{
"loginAccounts": [
{
"accountId": "123456",
"baseUrl": "https://na2.docusign.net/restapi/v2/accounts/123456",
"email": "jdoe#example.com",
"isDefault": "true",
"name": "LoanCo",
"siteDescription": "",
"userId": "abcdff66-f92e-4e8e-ab81-8c46f140",
"userName": "John Doe"
}
]
}
Then instantiate a new API client using the sub-domain that was returned in the login response:
ApiClient apiClient = new ApiClient("https://na2.docusign.net");
I'm getting the following when trying to authenticate using OAuth2 using the Java client library:
Error:
Code was 403
Msg: Forbidden
{
""error"": {
""errors"": [
{
""domain"": ""global"",
""reason"": ""insufficientPermissions"",
""message"": ""Insufficient Permission""
}
],
""code"": 403,
""message"": ""Insufficient Permission""
}
}
What could be causing this "Insufficient Permission" error?
If you are using Google Wallet Objects API, make sure that you share your Account in the Merchant Account with the Service Account Email Address (the one you got when you created your credentials - you can get this one from the cloud console https://cloud.google.com/console, the one that ends with #developer.gserviceaccount.com)
Login to the Merchant Dashboard, click on Account Management and then click on Share. Add the email to the list of users.
You'll also want to share your merchant account with any users you want to give preview access to your classes and discoverables.