Non-technical person here 🙋‍♂️
I'm having an issue where (using the Oauth 2.0 Playground) I authorize an internal user's GMB account and configure real-time notifications to be sent to our GCP topic. Every few days or so, notifications stop getting sent to our topic and when I check the notification settings for that account, they have been subscribed to an unknown GCP topic. I can reconfigure the notifications settings again, but every few days they are reconfigured to the unknown GCP topic.
It's possible some other app is overwritting my changes periodically, but I am having trouble figuring out where they're coming from.
Is there a log I can review to know where the request to change the notification settings is coming from?
When using the OAuth 2.0 Playground to configure settings, do they "expire" at some point? If so, is how do I prevent that from happening?
Thanks in advance for your help!
You can start looking into when and who created the unknown GCP topics by checking your Cloud Logging for created topics. You can do this by:
Open your Google Cloud Console
Open "Logging"
There should be a "Query" tab and select it.
Input protoPayload.methodName="google.pubsub.v1.Publisher.CreateTopic" and click "Run Query". You can check this reference if you'd like to see other logs related to Pub/Sub.
Click "LAST 1 HOUR" to adjust the time parameters of your log query. (Example: adjust it to a whole month to query all Created topics within a month)
Click the ">" beside the result and expand the log.
There are lots of info like the created topic name, what email authenticated this request, etc. In your case you should look out for field authenticationInfo for you to check who invoked the request:
authenticationInfo: {
principalEmail: "email-used-to-create-the-topic#example.com"
principalSubject: "user:email-used-to-create-the-topic#example.com"
}
NOTE: For testing purposes I blacked out my project-id and email for this example. Also the topic I created is log-this-topic and the email in the log mine since I was the one that created the topic.
OAuth have set rules for expiration, you can check it on Refresh Token expiration.
Related
I am trying to obtain my production keys for my QBO app following the steps in this link
here
However, when I try to start the "App Assessment Questionnaire", I get the error message below:
You currently do not have a developer account, please click here to complete setting up your developer account. Once that is complete you will be able to access the help pages.
This is what I see, and I DO have a developer account. It won't let me continue.
Please help!
UPDATE
I see this error in the address bar:
ErrorCode=ERROR_CREATING_USER&ErrorDescription=License+Limit+Exceeded
UPDATE #2
I tried creating a brand new account, a new app, on a different PC and the same thing happened. So this is not a cache issue.
UPDATE #3
Created 2 support tickets for this issue
#00114423
#00114415
I had to use a different account to access the help site
https://help.developer.intuit.com
I've the same issue since Friday (02/18) and spent hours to figure out what's the problem.
tried from different browsers and different IP addresses
made a brand new developer account to test with it
had a 1+ hour chat session with QB support (but not developer support)
sent an email to an address received from the chat assistant
sent a feedback at https://www.surveymonkey.com/r/AppAssess
According to the browser's developer tools:
the Start questionnaire button opens this URL:
https://developers.intuit.com/app/developer/appdetail/prod/questionnaire?appId=xxxxx:UUID_of_app
then it redirects to:
https://login.salesforce.com/services/auth/sso/yyyyyyyyyyy/Intuit_Enterprise?community=https://help.developer.intuit.com
finally, SSO to salesforce fails and it redirects back to:
https://developer.intuit.com/app/developer/qbpayments/docs/qbms-payments/hosted-paypage/faqs/help-redirect?**ErrorCode=ERROR_CREATING_USER&ErrorDescription=License+Limit+Exceeded**+-+Customer+Community+Login&ProviderId=xxxxxx&startURL=%2Fs%2Fquestionnaire%3Fapp%yyyyyyyyyyyyy
So, it seems to be, QB have reached a license limit at salesforce, which prevents new logins to create and the questionnaire from to load.
And the funny part is: the same thing happens, when I tried to create a support ticket and used the "Ask a question" button at https://help.developer.intuit.com/s/
Which means, I can't start the questionnaire and can't start a ticket about the error either.
I guess, if QB developer accounts whom created support tickets previously or started the questionnarie before the license limit has been reached, they have have a SSO login account at salesforce and able to fill in the form or start new support tickets, but others are stuck because of the license limit.
If somebody have a working QB developer account and able to start a support ticket, please do it, and link this page in it.
Or maybe, we should contact salesforce support to let QB know about the license limit.
I'll give it a try.
This seems to have been fixed. I tried running the questionaire and it worked.
I have also been having this problem the last several days and had the same lack of success with QB support. The URL callback error I see is:
ErrorCode=REGISTRATION_HANDLER_ERROR&ErrorDescription=Please+sign+the+terms+of+service+before+you+login+to+community
I don't see anywhere I can sign a TOS in my account page - it's possible that in fact QBO hasn't signed a TOS with Salesforce. What a joke.
I have a simple azure logic app as follows.
Now I add a new action after the first one.
Select an email action.
Look for send email action
Now no mater what I do, I get this error
Please check your account info and/or permissions and try again. Details: REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server. clientRequestId: 9295041e-4d27-4d7f-8ac7-9f90f1cc65ff serviceRequestId: 17c7df3b-7f07-6d27-4f7b-68a4475e9b55 More diagnostic information: x-ms-client-request-id is '51B43F16-6D7C-4BE7-9AE2-7B4A6B73BA49'.
I click Change Connection above and I see these increasing number of connection, and I find no way to delete them. See the last image at the bottom.
And when I click Save, I get this message.
Save logic app failed. Failed to save logic app vivek-logic-app. Some of the connections are not authorized yet. If you just created a workflow from a template, please add the authorized connections to your workflow before saving.
And finally when I click Api Connections, I find no connections to delete.
So two questions.
How to authorize hotmail account te be used by Azure Logic App
How to delete the un-necessary connections
Ok, here it is after a good 3 hour PIA.
For the connections to manage(or delete), look at the resource group and not the Logic app.
And next for the send email action, choose Outlook.Com connection and not Office 365 Outlook. Found the answer here. Mine is personal account and not for work or for school.
Once you setup this action successfully, you can take a look at this page for managing the connection access.
I have a little bit of problem with the authentication on Sitecore website. Basically there is a button on the navbar, and when user clicks on the button, it redirects the same user to Salesforce to log in (Implementation of SSO). Basically I am using Salesforce as a identity provider and Sitecore Website as a service provider. Now I have a question? When user is logged, how can I get the ID of that user.
Do users in Sitecore User Manager have the same ID as the users in Salesforce, or I can just get a email to identify the user?
P.S: Sorry if this is a really stupid question, but I am a begineer when it comes to making Sitecore websites and the SAML SSO. Thank you in advance
Stop with the Sitecore and Salesforce for a second, you'll need to cover some basics and click through the login process manually before you automate it.
You probably are using a "connected app" in Salesforce that includes OAuth2 config (consumer key also known as client id; a secret; a list of scopes telling what this app is allowed to do on behalf of this SF user; a list of allowed urls that can login using this consumer key and secret. Etc.) It might even have something about Canvas Apps at bottom of the page.
Next would be - who's logging in. A core Salesforce user or do you have Partner Community, Customer Community (recently rebranded to "Digital Experiences").
Open incognito window and go to https://openidconnect.herokuapp.com/
For login host leave as is if you have production user or test.salesforce.com if you go from sandbox (you can also use branded urls, mycompany--dev.my.salesforce.com etc). If you have a community user you'll have to change the url to whatever is the community base url, like https://dev-mycompany.cs123.force.com/mycommunity
Don't change anything else, click next, next, next. This will take you through OAuth2 "web server flow" (one of many ways to log in). You type the username/password to SF screen and go back to that herokuapp with "authorisation code". The app has few minutes to swap that code for actual final "access token" and couple other pieces of info. Final step in this wizard calls OpenId "userinfo" - returning some info about the user that logged in. That's where you could pull the email if needed (and if there are extra fields you'd like SF to return in this process that's configurable too)
Close that browser window. Check the "connected app" in SF. Open new incognito window, do same thing but this time put your url, consumer key and secret (you might have to edit the app in SF first to allow callbacks to https://openidconnect.herokuapp.com/callback).
So now you should have rough idea about whole login process. Your sitecore app probably does same thing, receives authorisation code and exchanges it for final token. At that point you have valid SF session ID you could use to call that "userinfo", run queries (if the app allowes API access, check the "scopes") etc.
I doubt the Sitecore developer created it all by hand, you probably have some Spring stuff like spring.security.oauth2.client... My Java days are long gone but if you get better at manual click-click-click through the flow you should be able to follow existing code?
It's a big topic and there are other ways to do it (other OAuth flows, sending info about the current user when you have external page embedded in SF as iframe, you'd need to read about "canvas apps")... but that's best guess based on info you provided. You might want to check some trailhead courses too like https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow
https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_oauth_and_connected_apps.htm
https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm (Java but very hand-crafted raw HTTP, probably that Spring security is better)
I am creating a booking system with server to server auth with google calendar API.
Sometimes when I create events with the API I get this :
{
error: {
errors: [
{
domain: "usageLimits",
reason: "dailyLimitExceededUnreg",
message: "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
extendedHelp: "https://code.google.com/apis/console"
}
],
code: 403,
message: "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
}
But otherwise the API says the event has been created, but there is no event created in the calendar...
In all other cases event is created successfully, but this leads to missing events sometimes.
Where I can remove this limit, so all events that i create with the Api to be saved to google calendar?
It looks like there is an issue with Service Accounts inviting people to Calendar Events.
In case you own a GSuite domain, a current workaround would be performing Domain-Wide delegation. According to the documentation:
Go to your G Suite domain’s Admin console.
Select Security from the list of controls. If you don't see Security
listed, select More controls from the gray bar at the bottom of the
page, then select Security from the list of controls. If you can't
see the controls, make sure you're signed in as an administrator for
the domain.
Select Show more and then Advanced settings from the list of
options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You
can find your service account's client ID in the Service accounts
page.
In the One or More API Scopes field enter the list of scopes that
your application should be granted access to. For example, if your
application needs domain-wide access to the Google Drive API and the
Google Calendar API, enter: https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/calendar.
Click Authorize
Regarding the existing issue, you can click on the star next to the issue number to give more priority to the bug and to receive email updates.
Problems
As part of my task to provide the ability to manage events via the Google Calendar API. Events use two groups of guests (attendees):
- Group 1 is Google accounts with alternative mail from the same domain (for example site.com)
- Group 2 is person with email all around the world.
This may be a conference call with the participation of 3-10 people, and the annual meeting of about 100 guests. On all events there can be representatives from both groups.
But I am faced with a restriction on the use of the API, which does not allow us to accomplish this task. I managed to find out the cause of this error and reduce the data to analyze the problem to a minimum.
Workflow and mechanism
Group 1: Each Google Calendar user is a separate personal Google account with setting “Alternative emails” from the same domain. They have an additional shared calendar for these events, with email notification enabled.
Group 2: This is person with email all around the world, that may have an Google Calendar Account or do not, which are used as the Guest ID for the event.
The organizer (group 1) has an authorized valid access token. He creates an event with a the list of guests. As the guest ID is used Calendar_ID account.
At first, the event was successfully saved correctly and the notification was received for external participants successfully, without errors. But after several repetitions of creating events similar in parameters, an error began to occur. I get the Calendar usage limits exceeded error:
{"error": {"errors": [{"domain": "usageLimits", "reason": "quotaExceeded", "message": "Calendar usage limits exceeded."}], "code": 403, "message ":" Calendar usage limits exceeded. "}}
Although if you save the event only for yourself in own calendar_id without any participants, the following error does not occur!
I have processed enough materials and similar problems from sites:
- https://developers.google.com/calendar/support
- https://stackoverflow.com/questions/tagged/google-calendar-api
- https://productforums.google.com/forum/#!forum/calendar
There are several pages indicating a similar problem, but there are no specific solutions or workarounds.
And I see only one real reason for the appearance of such a restriction:
https://support.google.com/a/answer/2905486?hl=en
"Sending too many invitations or emails to external guests". Perhaps I have reached this limit of 100-300. But what to do with it?
Additional investigation
For the tests I have created a completely new test environment:
1. A separate Google user has been created as an organizer, with his own calendar and additional calendar.
2. Created a separate Google user as a guest for the event, with your calendar and additional calendar
3. All creation of events was used via web calendar.google.com interface.
As result:
- An additional attendee's calendar has reached the limit after creating the 4th event, within 5 minutes
- The main calendar - after creating the 15th event, within 15 minutes
I got a restriction that I should try to create an event later. Perhaps there is some kind of limiter on the frequency of creating/updating an event, but nowhere is this mantioned.
With a break of 4 hours, I was able to create only 5 events for the main calendar, I could not add an additional event to the additional calendar due to an error.
Questions
1. How do I get around these calendar blocking restrictions? In addition, all guests receive this event as desired and are clearly ready to confirm receipt of such events (subscribe to events from certain organizers).
Is it possible to perform this task using G Suite solution or another similar?
Could you please provide me with some an extended documentation on the API of the Calendar about:
conditions for calendar limitation exceeded (I have not found these criterias for using the API of the Calendar on the official website and pages of official forums)
time to unlock to save/update the event, after the occurrence of "Calendar usage limits"
Thanks in advance for your rapid reply as soon as possible.
Based from this support page:,
Calendar usage limits exceeded. This is the result of an API call. (Don't mix this up with the message "Daily quota exceeded," which points to insufficient API quota.)
It also means that the user reached one of the Google Calendar limits in place to protect Google users and infrastructure from abusive behavior. (Reference.)
Suggested actions:
Read more on the Calendar usage limits in the G Suite Administrator help.
If one user is making a lot of requests on behalf of many users of a G Suite domain, consider using a Service Account with authority delegation (setting the quotaUser parameter).
Use exponential backoff.