I am setting up a topic and trying to grant permission to gmail to send email notification to this topic, but the API call throws "User not authorized to perform this action". I get the same error when I tried from the https://cloud.google.com/pubsub/reference/rest/v1/projects.topics/setIamPolicy. BTW, I started seeing this issue recently. It was working fine before.
POST https://pubsub.googleapis.com/v1/projects/macro-xxxxx-xxx/topics/exxxxx-inxxx:setIamPolicy?key={YOUR_API_KEY}
{
"policy": {
"bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"serviceAccount:gmail-api-push#system.gserviceaccount.com"
]
}
]
}
}
{
"error": {
"code": 403,
"message": "User not authorized to perform this action.",
"status": "PERMISSION_DENIED"
}
}
Appreciate any help, Thanks.
You likely do not have permission to modify the topic in question. You need at least the Pub/Sub Editor or Pub/Sub Admin permission to modify the allowed publishers on a topic. These can be more easily changed in the IAM Console than by the REST API.
Related
I'm getting forbidden 403 error when hitting Gmail API get message through postman please help me how to solve this. error
https://www.googleapis.com/gmail/v1/users/userId/messages
this url for getting message list
https://www.googleapis.com/gmail/v1/users/userId/messages/id
this is for getting message for particular id
I can able to hit the get message list API but get Message API not working for me
I'M doing all these stuff through postman
error message :
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Metadata scope doesn't allow format FULL"
}
],
"code": 403,
"message": "Metadata scope doesn't allow format FULL"
}
}
This is another disappointing design in the Gmail API. I resolved this issue with the following steps:
Remove GmailScopes.GMAIL_METADATA from scopes setup.
Remove the credential file from your local FileSystem. This file is generated by Google's Authorization Flow which store your credential locally.
Re authorize your app by signing in again https://accounts.google.com/o/oauth2/auth?access_type=offline....
Hope this helps you guys out.
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,
I'm trying to get the signature for a delegated account using the new User.settings capabilities in the Gmail API.
https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/get
I have two accounts in the same Apps org but with different domain names. In the Gmail UI, I log in via my "primary" account and in the accounts list I see the "secondary" account with "(delegated)" appearing after the email address.
However, if I try and do this:
GET https://www.googleapis.com/gmail/v1/users/secondary%40domainB.com/settings/sendAs/secondary%40domainB.com?key={MY_API_KEY}
I get this 403 error:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for primary#domainA.com"
}
],
"code": 403,
"message": "Delegation denied for primary#domainA.com"
}
}
Is this not supported or am I taking the wrong approach?
did you gave the domain wide delegation to your service account?
The Gmail API does not currently support access by delegates (see this answer). You need to either use 3LO credentials or service account credentials with domain-wide delegation.
How can I recognize Google accounts without Gmail?
I use OAuth2 for authorization and then download user messages.
But if Google account hasn't Gmail, then I receive the error while getting data from api:
{
"errors": [
{
"domain": "global",
"reason": "failedPrecondition",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
What is the best way to detect accounts without Gmail?
Now I just send test GET request to gmail-api and check that it returns OK.
But I'm looking for best solution.
I believe I've gone through all the steps of creating a (web) client-id for authorizing requests from the Mirror API Playground, yet when I hit the Authorize button, and then Insert a card from a template, nothing is sent to glass.
I also note that the Timeline tab below is empty.
Web I bring up developer tools, I note that the POST to https://www.googleapis.com/rpc is returning results:
[
{
"error": {
"code": 403,
"message": "Access Not Configured",
"data": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
]
},
"id": "gapiRpc"
}
]
Am I missing something in how to authorize the Mirror Playground?
You need to enable the Google Mirror API.
Do this by toggling the switch on the Services panel for your project as pictured here:
. This toggle will only be visible if you have been whitelisted for the Google Mirror API as part of the developer preview.