400. That’s an error.
Error: invalid_scope
You don't have permission to access some scopes. Your project is trying to access scopes that need to go through the verification process. {invalid = [https:// mail.google.com/]} If you need to use one of these scopes, submit a verification request.
This is the error that I am getting when I flowed the tutorial in this link:
https://developers.google.com/gmail/api/quickstart/js
In the link they asked me to access webserver via python but I am using apache.
So in the step 1.f, Authorized JavaScript origins: am using the link http:// localhost instead of http:// localhost:8000. What might be causing the error??
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
Related
I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication
I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.
Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.
2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!
First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.
1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep
your credentials confidential and make reasonable efforts to prevent
and discourage other API Clients from using your credentials.
Developer credentials may not be embedded in open source projects.
My Answer on another question about exposing client id in open source projects.
Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.
If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.
The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.
I am using a chrome extension that calls the chrome.identity api to get an access token (using google plus login scope).
I then try to call a Google endpoints API with this token. For this, I set a request header with 'Authorization'='Bearer <token>' format.
I have added the client_id from the manifest.json of my chrome extension to the list of allowed client ids for the endpoints API. But, I still cannot connect to it, even when I run the API on localhost.
The allowed list of client ids includes those clients that I defined on the API credentials page on Google Developers Console. My chrome extension is present as a client in that list, but it's client_id is different.
The error I keep getting on the server side:
WARNING 2016-04-22 03:01:35,068 users_id_token.py:372] Oauth token doesn't include an email address.
Can anyone please give me some pointers to try? Please let me know if any clarification is necessary.
The Google Oauth2 APIs are commons of all types of clients, so i will answer in general which applies to all.
The google plus login scope(plus.login or plus.me) will not return email address, in order to get the authenticated user's email address you need to pass an additional scope https://www.googleapis.com/auth/userinfo.email which will returns users email address. Hope that is what you are looking for.
if you wants to experiment it, visit https://developers.google.com/oauthplayground/
I'm building my own IMAP client using node-imap, and I'm testing it against accounts on office365.
Since it's under development, I tend to hammer on the IMAP server more that I would in production, but not necessarily what I would consider to be too much.
Occasionally, I start getting the IMAP response "BAD User is authenticated but not connected". This comes after the first command after a successful login.
This is not related to password changes as other similar articles indicate, as my passwords are not changing during this time.
When this happens, the account seems to get locked up for a period of time. I seem to be able to jiggle it free by disabling then re-enabling IMAP on the account via the office365 admin panel.
So it looks like there's a circuit breaker of some sort in the IMAP interface on office365. Microsoft documents a limit of 20 concurrent sessions. In my case I am only opening one session at a time, but I am then closing it and re-opening it again soon after (debugging), so if I am running afoul of a limitation, it's not documented anywhere i have read.
Microsoft support has been helpful but unable to help me root cause this.
In order to take this app to production, I need to know what causes this to happen.
Has anyone else had a similar experience with office365?
You may want to take a look at the Outlook REST APIs rather than IMAP. The REST APIs are the recommended development API for Office 365 and are much better suited for app development with features like webhook based notifications, and are constantly evolving with the new features and functionality in the service. They also don't have the session oriented nature that IMAP has that results in the kinds of problems you are hitting.
There is a NodeJS quickstart guide to O365 here: https://dev.outlook.com/RestGettingStarted/Tutorial/node
you need to perform 2 operations on exchange online using powershell
You need to create the service principal
New-ServicePrincipal -AppId {clientid} -ServiceId {enterprise application objectid} -Organization {tenantid}
you need to grant your service principal access to the mailbox,
If the principal does not have the access, you get "user not connected"
Add-MailboxPermission -Identity {email} -User -ServiceId {enterprise application objectid} -AccessRights FullAccess
See "Register service principals in Exchange" at
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
If you have already verified that your password is correct (by logging into your mailbox from the web) then the issue might be Exchange server keeping a list of all your active login sessions.
Try signing out from all other locations by clicking "sign out everywhere" on the account security page https://mysignins.microsoft.com/security-info and then retry signing in again.
Office365 will accept connections and successfully authenticate even when the user doesn't have permissions to access the server by IMAP, and this is the exact error it gives in that situation.
To resolve it, go into the Office365 panel, open the user, and ensure that the IMAP permission is checked.
I'm trying to use the adal.js experimental libraries to authenticate a user and obtain an accessToken for their Office 365 Calendar.
My web page uses implicit flow and JS implementation (not the adal-angular.js libraries).
I have passed in the scope of https://outlook.office.com/Calendars.Read. This prompts the user for consent.
Once accepted, the libraries return the id_token to the web page, I then have a button which invokes the AuthenticationContext.acquireTokenSilent function which makes the call to obtain an accessToken.
This call results in the error:
"AADSTS65001: The user has not consented to the requested scope."
I'm a bit lost at this point, i've tried to pass in other scopes which also result in the same error. I've inspected all of the calls to the oauth endpoints (mentioned here).
Is this a limitation of the v2 App Model? Or is their something missing here? I know that it mentions that implicit flow in a limitation of the v2 model, however the previously mentioned article seems to contradict that.
I have encountered the exact error message by using ADAL to authenticate Office 365 graph API, and I successfully resolved it by re-installing my Chrome. Basically using ADAL.js in a non SPA web solution would not work, because the recommended authentication flow for web application is authentication code flow. The key point is not to use IE. The below example contains the reasons which I referred: https://github.com/OfficeDev/O365-JQuery-CORS
I have a simple page with a form, and I decided to offer the option of submitting it to a Google Sheet. It's meant as part of an internal webapp, used by a few collaborators to submit to a spreadsheet shared between us. I would have used a Google Forms but I wanted more control over the form.
I have set up a Google Apps Script bound to the spreadsheet following these instructions and deployed it as web app with:
Execute the app as: Me
Who has access to the app: Anyone, even anonymous
This works fine, I can POST FormData with XMLHttpRequest (vanilla javascript). But so can anyone else, no matter if they're allowed to edit the spreadsheet, even if they're logged out of Google.
I'd like to restrict access to the web app - only people invited to the spreadsheet should be able to use the web app to insert rows. (Which is what I expected in the first place... if you don't have edit permissions you don't get to edit, period.)
At the moment switching the Google Apps Script Deploy as web app settings to anything else results in an 'Access-Control-Allow-Origin' error. I probably have to do something else - either in my page or in the GAS - to handle auth, right?
I want the web app to be deployed as
Execute the app as: User accessing the app
Who has access to the app: Anyone
and when a spreadsheet collaborator visits my page, he can submit the form - provided he's logged into Google.
the google apps script execution api does what you need. its well explained in the official docs:
https://developers.google.com/apps-script/guides/rest/api
its too broad to explain here step by step. you might need to read also about how to make an oauth2 flow from browser javascript.