I am using a chrome extension that calls the chrome.identity api to get an access token (using google plus login scope).
I then try to call a Google endpoints API with this token. For this, I set a request header with 'Authorization'='Bearer <token>' format.
I have added the client_id from the manifest.json of my chrome extension to the list of allowed client ids for the endpoints API. But, I still cannot connect to it, even when I run the API on localhost.
The allowed list of client ids includes those clients that I defined on the API credentials page on Google Developers Console. My chrome extension is present as a client in that list, but it's client_id is different.
The error I keep getting on the server side:
WARNING 2016-04-22 03:01:35,068 users_id_token.py:372] Oauth token doesn't include an email address.
Can anyone please give me some pointers to try? Please let me know if any clarification is necessary.
The Google Oauth2 APIs are commons of all types of clients, so i will answer in general which applies to all.
The google plus login scope(plus.login or plus.me) will not return email address, in order to get the authenticated user's email address you need to pass an additional scope https://www.googleapis.com/auth/userinfo.email which will returns users email address. Hope that is what you are looking for.
if you wants to experiment it, visit https://developers.google.com/oauthplayground/
Related
I'm trying to make a portal where users can authenticate their Google credentials and then access their Google Calendar by creating and deleting events all via my website. However, I can't seem to find where on the Google Developers Console where to whitelist my site because of this following error:
{
"error": "idpiframe_initialization_failed",
"details": "Not a valid origin for the client: https://maxstechandmathsite.azurewebsites.net has not been whitelisted for client ID (my client ID).
Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID."
}
The JavaScript code I'm using is in reference to this Github page: https://github.com/gsuitedevs/browser-samples/blob/master/calendar/quickstart/index.html. Besides having to verify my site ownership, the issue may also be having an incorrect client ID or API key. For Google Calendar, I'm assuming you use the client ID and API key for the Google Calendar itself, but would I possibly have to use my Google Sign-In client ID for the OAuth 2.0 authorization? I tried that client ID, but no error message came up in the first place, unlike with the Google Calendar client ID, so I think I'm on the right track. I just can't find any Google docs on this error.
Turns out I was right. I did have to use my OAuth 2.0 client ID instead of the Google Calendar client ID generated for me when enabling the Calendar API. Not only that, but I had to use a previous API key I made on the Google Developers Console.
I want to extend a project in a way that it can save files to Google Drive. To learn how this works I tried the Quick Start Example from the docs: https://developers.google.com/drive/v3/web/quickstart/js
Following the example I noticed that the example is creating an API key in the developer console. Following the same steps only returns a Client secret. I suspected this to be a naming problem and hoped that the two are the same.
Unfortunately, the example code does not work but loggs the following error:
{"error":{"errors":[{"domain":"usageLimits","reason":"keyInvalid","message":"Bad Request"}],"code":400,"message":"Bad Request"}}
In the request to:
https://content.googleapis.com/discovery/v1/apis/drive/v3/rest?pp=0&fields=kind%2Cname%2Cversion%2CrootUrl%2CservicePath%2Cresources%2Cparameters%2Cmethods%2CbatchPath%2Cid&key=[[my key]]
I checked that the right secret appears in the request url. Setting var API_KEY = '<YOUR_API_KEY>'; to an empty string is a workaround.
How can I debug this further? where do i get the right api key?
I run into this error recently. It is certain that Google Documentation is usually quite good, but in this case, the Google Drive API (https://developers.google.com/drive/api/v3/quickstart/js) it wasn't that clear. For this API in particular, you will require two credentials.
Under your project credentials section, you must create an OAuth 2.0 client for a web application and a API Key.
(Sorry for the Spanish in the screenshots)
Regarding the OAuth 2.0 client, not that I have restricted it to http://localhost
Concerning the API Key, note that I have restricted it to my Google Drive API
Then, in the index.html provided by the documentation, you can set your CLIENT_ID to the one obtained in the OAuth 2.0 client generation, and the API_KEY to the the one generated in the API Key process.
{"error":{"errors":[{"domain":"usageLimits","reason":"keyInvalid","message":"Bad Request"}],"code":400,"message":"Bad Request"}}
Means that the request you have made has not been properly authenticated.
API key is for accessing public data. Oauth2 client id and secret will be used to access private user data which file.list is. So i dont think this is a naming problem. Your code should be popping up requesting access of the user.
400. That’s an error.
Error: invalid_scope
You don't have permission to access some scopes. Your project is trying to access scopes that need to go through the verification process. {invalid = [https:// mail.google.com/]} If you need to use one of these scopes, submit a verification request.
This is the error that I am getting when I flowed the tutorial in this link:
https://developers.google.com/gmail/api/quickstart/js
In the link they asked me to access webserver via python but I am using apache.
So in the step 1.f, Authorized JavaScript origins: am using the link http:// localhost instead of http:// localhost:8000. What might be causing the error??
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication
I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.
Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.
2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!
First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.
1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep
your credentials confidential and make reasonable efforts to prevent
and discourage other API Clients from using your credentials.
Developer credentials may not be embedded in open source projects.
My Answer on another question about exposing client id in open source projects.
Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.
If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.
The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.
We're are developing a javascript facebook app which searches for users by using the graph api.
Currently we were informed by facebook that our app is using a graph search endpoint without an access token. Since we are doing all FB api calls from the js-sdk we thought a valid access token is always provided. I crosschecked this and e.g. the following request is made by the sdk:
https://graph.facebook.com/search?type=user&limit=10&offset=450&q=max&method=get&access_token=<TOKEN>&pretty=0&sdk=joey&callback=FB.__globalCallbacks.f3d041460c As you can see the call provides a valid access_token.
Our app is requesting the following scope from the user when he wants to use our app:
email read_friendlists read_stream user_events user_groups user_photos user_status
Checking this token with the graph api explorer's debug method does not show any errors: The token is valid, expires in one hour and it's assigned to me (a user).
What are we doing wrong? I haven't found a special scope for searching for users. Thank you.