I am trying to access the Firebase Rules API using the Google APIs Node.js Client.
I tried OAuth2 and using an API key both obtained through the gcloud console for my project, but both methods got me: Error: The caller does not have permission
This is how i tried to do it with an API key: https://gist.github.com/dergoegge/1e9cbf980148ef3febecaf0eeeb0e1fa
Are there any special restrictions on that api or am i doing something wrong?
Edit: I also tried using service account credentials https://gist.github.com/dergoegge/665d235819429d74c9d448226ec1eba3
and got
errors:
[ { message: 'Invalid Credentials',
domain: 'global',
reason: 'authError',
location: 'Authorization',
locationType: 'header' } ]
in the response.
I should have read the documentation more before asking.
I did not follow all the steps listed here: https://github.com/googleapis/google-api-nodejs-client#oauth2-client
After that it works.
Related
While using SSO to sign on Azure using MSAL with Angular, I get redirected this URL: https://login.microsoftonline.com/common//discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/{tenant}/{organization}.onmicrosoft.com/{policyName}/oauth2/v2.0/authorize endpoint.
... and the response is - 400 bad request error or an invalid_request (in the xhr)
A curl comes back with this error:
"error":"invalid_request","error_description":"AADSTS50050: The request is malformed: invalid format for 'authorization_endpoint'
Why would this happen for new users?
update:
MsalModule.forRoot(
{
auth: {
...
validateAuthority: false,
...
},
...
setting validateAuthority: false resolved this issue for now.
However, setting validateAuthority should not cause problems - this is just a workaround.
If you are using Azure AD, try to change your authorization_endpoint to
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Policy name is always used for Azure AD B2C, format like: https://{your-B2C-tenant-name}.b2clogin.com/{organization}.onmicrosoft.com/{policyName}/oauth2/v2.0/authorize.
We have an O365 tenant, everything is configured out of the box. The tenant is placed in the German cloud and not in global (office.de).
We also developed an Office Add-in that authorize access to sharepoint using OAuth 2.0.
First, we initiate a request for a code to this url:
http://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=client_id&redirect_uri=redirect_uri&state=state
and we get all values back including the code.
Then, we initiate a request for the Discovery Service to discover the services using this url:
https://login.windows.net/common/oauth2/token?client_id=client_id&redirect_uri=redirect_uri&resource=https://api.office.com/discovery/&grant_type=authorization_code&code=code
In the global cloud everything is ok and we get the list of services we need but in the German cloud we get the following error:
{
"error": "invalid_grant",
"error_description": "AADSTS90051: Invalid Delegation Token. Invalid national Cloud ID (1) is specified.\r\nTrace ID: 52f8aa2b-9f98-4ba6-b778-c0ba484a3c00\r\nCorrelation ID: 67100192-82c8-41ea-a5ca-fd9872caaf2e\r\nTimestamp: 2018-02-08 06:31:18Z",
"error_codes": [
90051
],
"timestamp": "2018-02-08 06:31:18Z",
"trace_id": "52f8aa2b-9f98-4ba6-b778-c0ba484a3c00",
"correlation_id": "67100192-82c8-41ea-a5ca-fd9872caaf2e"
}
The same error occurs when we try to change the url to https://login.windows.de/common/oauth2/token
I think that you can use client crendetials flow to achieve that:
1.Request the access token for the Office Discovery service API:
POST https://login.microsoftonline.de/{{yourtenantId}}/oauth2/token?client_id={{client_id}}&client_secret={{client_secret}}&grant_type=client_credentials&resource=https://api.office.com/discovery/
2.Use the access token in the head and use the Office Discovery API:
Additional: If you want to get id_token and use it, try to use https://login.microsoftonline.de as the AAD Athorization endpoint in your request. I didn't test, but it should work.
Hope this helps!
I'm trying to use the swagger node to build an API to my meteor app. I managed to build the API but could not find a good guide on how to secure it. The plan is to let our mobile app connect to the main app in the server. (For this we also need to generate device-specific keys right?)
So far we tried to setup security in swagger like this :
securityDefinitions:
oauth2:
type: oauth2
authorizationUrl: "http://swagger.io/api/oauth/dialog"
flow: "implicit"
security:
- oauth2: []
But it gave us this error:
{
"message": "unknown security handler: oauth2",
"code": "server_error",
"statusCode": 403
}
Can you please tell me why the error is coming and how to properly implement the API according to my needs? Thanks!
I was using googleapis library and successfully authenticate my Service Account credentials using JWT. Then I found out google-cloud library, which has specific modules for Prediction API, but failed to authenticate the same Service Account credentials.
I don't use Google Computing Engine or App Engine and working in local developement
I follow code in documentation:
var key = require('./MY_SERVICE_ACCOUNT_CREDENTIALS.json')
var prediction = require('#google-cloud/prediction')({
projectId: 'MY_PROJECT_ID',
credentials: key
})
prediction.getModels((err, models) => {
if (err) {
console.log(err)
return
}
console.log('Models:', models)
})
and it returns:
{ ApiError: Access to project denied: user requires read permissions.
at [here goes stack trace]
code: 401,
errors:
[ { domain: 'global',
reason: 'authError',
message: 'Access to project denied: user requires read permissions.',
locationType: 'header',
location: 'Authorization' } ],
response: undefined,
message: 'Access to project denied: user requires read permissions.' }
I don't know where it goes wrong and I'm not sure if I would need to authenticate with googleapis and integrate it with google-cloud or etc. It's also lack of samples
So I know this is a couple of months old but the error is pretty self explanatory but I also ran into this issue myself.
Essentially your service key isn't given the proper permissions in order to read (or write) information from your project. Look for your service account under IAM & Admin in the Google Cloud Console and add Project → Editor and/or Project → Viewer to the service account you've created. Make sure you press "Save" once you've added those permissions and wait about 20 seconds for those permissions to reflect.
Specifically, I'd like to use the Gmail API to access my own mail only. Is there a way to do this without OAuth and just an API key and/or client id and secret?
Using an API key like:
require('googleapis').gmail('v1').users.messages.list({ auth: '<KEY>', userId: '<EMAIL>') });
yields the following error:
{ errors:
[ { domain: 'global',
reason: 'required',
message: 'Login Required',
locationType: 'header',
location: 'Authorization' } ],
code: 401,
message: 'Login Required' }
I suppose that message means they want a valid OAuth "Authorization" header. I would do that but I suppose that's not possible without presenting a webpage.
The strict answer to "Is there a way to do this without OAuth and just an API key and/or client id and secret?" is no.
However, you can achieve what you are looking for using OAuth. You simply need to store a Refresh Token, which you can then use any time to request an Auth Token to access your gmail.
In order to get the refresh token, you can either write a simple web app to do a one time auth, or follow the steps here How do I authorise an app (web or installed) without user intervention? (canonical ?) which allows you to do the whole auth flow using the Oauth Playground.
The question is rather old, but the problem is not. For now Google API has an option to create service accounts. I think it suits for everybody who wants "just connect application to its own google workspace" and not to do some actions on users behalf. Google documentation writes about it:
Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data. For example, an application that uses Google Cloud Datastore for data persistence would use a service account to authenticate its calls to the Google Cloud Datastore API.
Here is the example in Java (there was no JS, but the meaning is clear):
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.sqladmin.SQLAdminScopes;
GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"))
.createScoped(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN));
SQLAdmin sqladmin =
new SQLAdmin.Builder(httpTransport, JSON_FACTORY, credential).build();
SQLAdmin.Instances.List instances =
sqladmin.instances().list("exciting-example-123").execute();