In a browser, I can open my personal gmail account or I can open any delegated accounts by clicking the circle with my initial in and picking from the available delegates - no problem.
Via API however, I can get an access token for my personal account and use this to send mail from my own account. If I try to send from the delegated account then I get the error.
So I have a token for my personal account eg me#gmail.com
and post to https://gmail.googleapis.com/gmail/v1/users/**delegator#gmail.com**/drafts
because me#gmail.com has been delegated to by delagator#gmail.com I would expect the api call to work with my access token - in the same way as when I am signed in to my account in a browser then I can then open the delegator account without having to provide credentials again.
'{"error":{"code":403,"message":"Delegation denied for me#gmail.com","errors":[{"message":"Delegation denied for me#gmail.com","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED"}}'
Thanks for any help.
I think you are using a specific email address in the request. Maybe try by with userId="me".
Related
I try to get reports from power bi api. There is app with permissions, enter image description here. My request enter image description here. If i insert "openid" to scopes or any of Microsoft Graph scopes, request return access token. This token dont let me access to reports. If i insert "Report.Read.All" or any of Power BI scopes, i recieve invalid_grant error: 'The user or administrator has not consented to use the application with ID named 'Интеграция с Битрикс24'. Send an interactive authorization request for this user and resource.'. Request from error message was send was sent by me many times. enter image description here. Please tell me what could be the mistake. What setting could I forget?
need to insert full url scope in request body to access power bi token. https://analysis.windows.net/powerbi/api/Report.Read.All instead of Report.Read.All
I could help you with an alternative where you can update the Graph Client to a Newer version. The admin of the subscription can grant the consent through the portal as shown below from Home > App > API Permissions.
We have done the following steps:
Using the following Steps:
Revoke all admin consent.
Remove all permissions
Add removed permissions back.
Grant admin consent.
Here is the Microsoft Document which you can refer to : Construct the URL for granting tenant-wide admin consent
I'm trying to get Bing ads spends from my firm. According to the Microsoft documentation, I understood that it's mandatory to use Microsoft Azure portal, get developer_token, client_id, tenant_id, client_secret, and access/refresh token to download the csv files with the data I want.
So, this is what I did:
I've received an invitation from my firm to Microsoft advertising onto this email adress:
abc#myfirm.fr, and I've generated my developer token.
With this email address, I've created a web application onto Microsoft Azure portal, which allow all king of users. Getting client_id, tenant_id, and generated a client_secret.
The redirect URL that I have chosen is http://localhost (according to the documentation but not sure this is the good URL to choose).
With Postman, I have tried with this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
and the params (previously obtained) needed for the OAuth 2.0 authentication to get my access token. Without success.
The issue is here.
When I request the access token, a new browser window opens, and asks for an email address on which to authenticate. I'm using my email address abc#myfirm.fr and I received authentication completed onto Postman but into the response body I have access_token: invalid.
The role of my account is super admin.
So I'm trying to authenticate with a professional Microsoft Azure Account and this time I received into the browser Invalid redirect url.
I have also tried to start all over again with different email address, like my personal email address, or with the email address of the creator of the Microsoft Advertising account, and I get the error contact your system Admin into the browser.
I have also tried with the Python SDK project given in the documentation, with the error message.
I must have forgotten or misunderstood something.
Should we use the same email address (or same account) on Microsoft Advertising, on Microsoft Azure, and when obtaining the access token?
Do you have to pay and take an Azure subscription? (Already done but without success)
Thanks in advance, sorry for my English.
EDIT:
Thank for ypur reply. The full request is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize with the following params:
-type: OAuth 2.0
-Header Prefix: Bearer
-Grant Type: Authorization Code
-Callback URL: https://localhost
-Auth URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/authorize
-Access Token URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/token
-my client id
-my client secret
-scope: https://ads.microsoft.com/ads.manage OR also testing with https://graph.microsoft.com/User.Read
-State: None
-Client authentication: send client credentials in body
Give me an access_token but when I click on use token and send the request, I'm not getting an refresh token
Once a user provides consent, you can get an access token and act on behalf of the user.
So when the browser session starts, you should enter your Microsoft Advertising credentials.
Remember to set scope=https://ads.microsoft.com/ads.manage in the request for acquiring the authorization code.
If you prefer to automate this process, you can refer to this script and steps to obtain an access token.
When I send an email using the GMail API, I get an Access Token for the user to whom the message is to be sent and then when sending the message, I put some value in the From Field.
But no matter what I put in the from field, the message in the email shows as From "Me" and is in the Sent mails as well as Inbox.
Is there a way, I could use the Service Account to send the email, so that it does not show up as From "Me" and is also not in the Sent Mails.
You cannot use a service account to impersonate a free gmail account. I spent a lot of time confirming this after reading a reply that was here before. Maybe it worked at some point, but it doesn't anymore.
There is no way to share / grant another user permission to access
your standard gmail account. So there is no way for you go delegate
the permissions for bob#mycompany.com to access bob#gmail.com.
and
you can impersonate G-Suite accounts but not Gmail accounts
These quotes are from Google's official C# Auth repo:
https://github.com/googleapis/google-api-dotnet-client/issues/1561
No. The Gmail API is for Gmail users and service accounts are just for doing auth to a real Gmail account, they don't have their own Gmail account, etc.
If you want to send the email from some service, you need some bulk-sending email service like at: https://cloud.google.com/compute/docs/tutorials/sending-mail/ or something you run yourself or from some other provider.
No, what you are looking for is a bulk email sending service. Checkout sendgrid , Amazon AWS SES, mandrill or if you want to stick with Google, this. You could of course run your own postfix server (although I'm assuming you were using gmail api for deliverability in the first place.
I am trying to access emails of an email address in custom domain(my.name#example.com) in google apps. I created service account but I get following error message when trying to read e-mails:
Error:"unauthorized_client", Description:"Unauthorized client or scope
in request.", Uri:""
I found that I have to delegate domain-wide authority to the service account. According to my understanding, after delegating, the service account will have access to all e-mail addresses in the domain(eg; john#example.com, sam#example.com ...). Is my understanding correct. If yes, is there a way that service account has access (can be impersonated) to only one e-mail address in the domain?
Have you authorized the Client Name and the API scopes in the GSuite admin console? It is required for the service account to work and the error you received seems to be related to the API access permissions.
More info at:
https://support.google.com/a/answer/162106?hl=en
I'm a Salesforce system administrator and I would like to use the Web Services API on behalf of (ie: impersonate) a Salesforce user that is part of my company.
More precisely, I'm looking for a feature similar to what Google Docs already provides: https://developers.google.com/google-apps/documents-list/#using_google_apps_administrative_access_to_impersonate_other_domain_users
Can this be done ?
Thanks !
The only way to do this is to authenticate with the API using the other user's credentials. This is a security feature that cannot be avoided.
This is should be possible if you have login access for that user and a tool to inspect a browser cookies.
When you're logged in as the test user open a cookie browser and grab the value in the "sid" cookie. This is a session id for that user and can be set in the headers of an api request instead of doing a login call.
I've haven't tried this. It's possible that this session id may only be valid for the browser and not the API. In that case you should probably just create a test user with the same profile and your email. If all else fails just ask the user to temporarily change their password and share it with you.