We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)
Related
I have registered an application on our Azure AD, and granted it the Sites.Selected permission as well as granting it access to a specific Sharepoint site following this guide. (Sites.ReadWrite.All is not an option as it would give access to all sites)
https://ashiqf.com/2021/03/15/how-to-use-microsoft-graph-sharepoint-sites-selected-application-permission-in-a-azure-ad-application-for-more-granular-control/
Now I am trying to use Postman to send web requests to the Microsoft Graph API in order to upload large files so I want to use the createUploadSession endpoint.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
But I get the error:
{
"error": {
"code": "notAllowed",
"message": "Operation not allowed",
"innerError": {
"date": "2022-02-04T14:04:37",
"request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f",
"client-request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f"
}
}
}
I know the authentication token I use is valid because a request to directly upload a file works fine and uploads the file.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/content
Any ideas for what could be wrong with my request to start an upload session?
I suppose that item_id is id of the destination folder but I'm not sure whether you can upload large this way
v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
Try to specify the path to the file from the root
POST v1.0/sites/{{site_id}}/drive/items/root:/test.rtf:/createUploadSession
Also check whether the POST HTTP method is set.
I am trying to make an API call to get order metrics from the amazon seller central page from Postman App. I have followed all the steps in the documentation.
I self authorized my app using the refresh token found on the Developer Central page. I am able to generate the access token using the refresh token. When making a request to the api to get order metrics, the query parameters are :
marketplaceIds : A21TJRUUN4KGV (India)
interval : 2021-01-01T00:00:00-07:00--2021-09-04T00:00:00-07:00
granularity : Day
The AWS signature for this request has my access key and secret key derived from when I created the IAM User. The region is eu-west-1 and service name is execute-api.
In the headers I have passed
x-amz-access-token: Atza|IwExxxxxxx
user agent:PostmanRuntime/7.26.8
Host: sellingpartnerapi-eu.amazon.com
x-amz-date : calculated when request is sent
After sending the request I get this response:
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
403 Forbidden: Request is legal but server is refusing to respond. Authenticating will make no difference.
I have logged case with Seller Central support but it has been over a month and they haven't replied. Please tell me what should I add or remove or check to make this request work.
https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp_request.html
Following this gave me temporary access token, access secret key and session token. Using that in the AWS signature for getting orders gave the desired output.
I am trying to follow this Get access without a user to get access token. I am getting access token using API request https://login.microsoftonline.com/<-tenant-id->/oauth2/token. When i used step 5 for above given link i got the following error :
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"request-id": "e9e9820e-2a3f-411a-bc77-760c9369fc8f",
"date": "2020-01-02T06:17:41"
}
}
}
I have registered app with the following permission : Calendars.Read, Calendars.ReadWrite, Sites.Read.All, User.Read, User.Read.All and have generated secret key and registered redirect url as :
User.Read.All.
My questions are:
1. Have i done anything wrong while creating app?
2. Why step 4 is not working of the link?
3. Did i get wrong access access using the above given api request?
In step 5, it calls the Microsoft Graph - Get a user, so make sure your app has the User.Read.All Application permission in Microsoft Graph(must be application permission, not delegated permission), after adding the permission, it appears like below(Note: don't forget to click the Grant admin consent button)
In the doc you provided, it uses the v2.0 endpoint /oauth2/v2.0/token, but you use the v1.0 endpoint /oauth2/token in your question.
So please change the request URL to /oauth2/v2.0/token, then use the one below.
Request URL:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Request body:
client_id=xxxxxxxxxxxxxxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxxxxxxxxxxxxxx
&grant_type=client_credentials
You can get the token in the postman.
Then use the token to call the Get a user API:
GET https://graph.microsoft.com/v1.0/users/<object-id of the user>
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,
I'm trying to implement checking availability for specific user (actually a room) in O365 calendar. I'm using Graph API as it's recommended by Microsoft.
My first approach was using POST on https://graph.microsoft.com/v1.0/me/findMeetingTimes with the message body prepared according to template given in Graph API Explorer. On the API Explorer everything seems to work fine but when I try to run exactly the same request with my applications token I receive 403:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "b130177d-e138-4cc7-8e72-5d3529a9dc24",
"date": "2017-03-21T08:47:10"
}
}
}
I checked the app's delegated permissions in AAD and they seem to be fine. For Microsoft Graph those are granted:
Calendars.ReadWrite.Shared
Calendars.Read.Shared
Calendars.ReadWrite
Calendars.Read
I get exactly the same response (403) when I try to simply list user's events: https://graph.microsoft.com/v1.0/users//events In Graph API Explorer 500 is returned.
I found the following bug description: https://github.com/microsoftgraph/microsoft-graph-docs/issues/559 (and probably this one too) Is it related with the issues above?
Any clue what I might be doing wrong?
Is there any other way to achieve the same using different endpoint or API assuming that I still want to use oAuth for authorization?
I will be grateful for any hint
Update: Outlook Calendar API seems to work. Still appreciate any ideas why Graph API doesn't?
The FindMeetingAPI needs A work or a school account . If you are logging in using your personal email ID , you might not be able to login. Moreover , you need to set permissions to Calendars.Read Calendars.Read.All Calendars.ReadWrite User.Read"