On creating a new service account via Google Console, when then sharing a calendar with the service account, the calendar doesn't appear in the calendarList response for the authenticated service account.
This was working okay for some time but appears to have started failing more recently.
Oddly, if I delete the shared account entry on the calendar and then add it back in, it usually works. It doesn't appear to be a time delay as have waited hours initially and always zero results in the calendar list, until removing the shared account on the calendar and resharing.
The following are steps I've used to reproduce:
In Google Console web UI, create a new service account with 'Furnish a new private key' selected to download the JSON key.
In the Google Calendar web UI, go to calendar settings and 'Share this calendar', then share the calendar with the service account email, then save the changes.
In REST calls, authenticate with the JSON key with POST call to oauth2/v3/token
Send GET request for calendar/v3/users/me/calendarList
then optionally to show it working...
Delete the service account share from the calendar and save.
Add the service account email to the calendar share and save.
Repeat steps 2 and 3. This time it will probably work.
This is partially a manual process for our end users to create a service account and share calendars via Google web UI. Note I've been using additional calendars on my own Google account to share with the service account (this reflects our end user use case), rather than just the default calendar.
Client code is REST based. To provide an example I have shown the REST requests and responses below. There are simply two requests, one to authenticate and one to fetch the calendarList. These occur after the manual steps in the UI to create a service account and then share a calendar with that account.
---
Request:
POST https://www.googleapis.com/oauth2/v3/token HTTP/1.1
Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml
User-Agent: RestSharp/105.2.3.0
Content-Type: application/x-www-form-urlencoded
Host: www.googleapis.com
Content-Length: 758
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=[ASSERTION_JWT_HERE]
Response:
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 14 Mar 2017 20:17:18 GMT
Vary: Origin
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Content-Length: 197
{
"access_token": "ya29.ElkOBAzSOzE_J2VOGFeWnTAGXdtoadW2FbnGga99SrMeamL7j6KetKomvT4aoy4jsRCcXpK-N6sxRBLFUaj_kPWFin4m6xvg_CtaTtkG5tVc_IxS7IezJDf32g",
"token_type": "Bearer",
"expires_in": 3600
}
---
---
Request
GET https://www.googleapis.com/calendar/v3/users/me/calendarList?minAccessRole=reader HTTP/1.1
Authorization: Bearer ya29.ElkOBAzSOzE_J2VOGFeWnTAGXdtoadW2FbnGga99SrMeamL7j6KetKomvT4aoy4jsRCcXpK-N6sxRBLFUaj_kPWFin4m6xvg_CtaTtkG5tVc_IxS7IezJDf32g
Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml
User-Agent: RestSharp/105.2.3.0
Host: www.googleapis.com
Accept-Encoding: gzip, deflate
Response:
HTTP/1.1 200 OK
Expires: Tue, 14 Mar 2017 20:17:19 GMT
Date: Tue, 14 Mar 2017 20:17:19 GMT
Cache-Control: private, max-age=0, must-revalidate, no-transform
Vary: Origin
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 202
Server: GSE
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
{
"kind": "calendar#calendarList",
"etag": "\"p328bl14pt3bd40g\"",
"nextSyncToken": "CJC6hJno1tICEj10ZXN0MS05MjhAY2FsZW5kYXItY29ubmVjdG9yLS0tb25lbGFuLmlhbS5nc2VydmljZWFjY291bnQuY29t",
"items": []
}
---
Note, I haven't provided the actual JWT for the ouath request, but the authentication is working fine. Also note the calendar is shared as either read or modify with the service account. I can also query the calendar itself and fetch events using the service account, but it is querying the list of calendars associated with the account that fails.
Had also raised this as an issue here but posting this here also in case I'm missing something, although as said all this was working fine until more recently, and our existing unchanged client software has started failing with newly created service accounts.
When you share a calendar with someone VIA the google calendar website the code on the website automatically adds the calendar to the users calendar.list. All the calendarlist is the list on the bottom left of the google calendar website. A user can have access to a calendar without it being in their calendarlist.
When sharing a calendar wish a service account this does not always happen. None of the service accounts I have shared my calendars with have ever had anything in their calendarlist. If you need it to be in the calendarlist then you should have the service account insert it. Using CalendarList: insert just grab the calendar id in question off of the website.
Related
I have a question about authenticating to azure mobile management API, to send push informations to the API.
I well manage to authentify and receive a token bearer matching to the provided data (tenant id, client id, client secret...), but when I try to create a campaign, I receive the following response :
[2016-10-25 11:45:51] (::1) fail to send send request https://management.azure.com/subscriptions/fb8226dc-194f-4562-9dc9-c72f56bd728a/resourcegroups/MobileEngagement/providers/Microsoft.MobileEngagement/appcollections/XX-Collection/apps/XX-TEST-android/campaigns/announcements?api-version=2014-12-01
with {"name":"The Evian Championship 20... - 25/10/2016
11:45:50","type":"only_notif","deliveryTime":"any","pushMode":"one-shot","notificationTickerIcon":true,"notificationIcon":true,"notificationCloseable":true,"notificationSound":true,"notificationVibrate":false,"notificationTitle":"Soci\u00e9t\u00e9
G\u00e9n\u00e9rale","notificationMessage":"The Evian Championship
2016","actionUrl":"://webviews/main/build/events.html","notificationType":"system"}
| "HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
x-ms-failure-cause: gateway
x-ms-request-id: 40e30675-2144-452a-9ab9-632a393d8783
x-ms-correlation-request-id: 40e30675-2144-452a-9ab9-632a393d8783
x-ms-routing-request-id: WESTEUROPE:20161025T094550Z:40e30675-2144-452a-9ab9-632a393d8783
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 25 Oct 2016 09:45:49 GMT
Connection: close
Content-Length: 281
{"error":{"code":"InvalidAuthenticationToken","message":"The received access token is not valid: at least one of the claims 'puid'
or 'altsecid' or 'oid' should be present. If you are accessing as
application please make sure service principal is properly created in
the tenant."}}" was returned
Here's the request :
POST
/subscriptions/fb8226dc-194f-4562-9dc9-c72f56bd728a/resourcegroups/MobileEngagement/providers/Microsoft.MobileEngagement/appcollections/XX-Collection/apps/XX-TEST-android/campaigns/announcements?api-version=2014-12-01
HTTP/1.1 Host: management.azure.com Authorization: bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ikk2b0J3NFZ6QkhPcWxlR3JWMkFKZEE1RW1YYyIsImtpZCI6Ikk2b0J3NFZ6QkhPcWxlR3JWMkFKZEE1RW1YYyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzRmNGFkYjA3LWU5OWQtNDg5NC04OGZjLTZkYzc4ODAzNDI3Zi8iLCJpYXQiOjE0NzczOTUxNzEsIm5iZiI6MTQ3NzM5NTE3MSwiZXhwIjoxNDc3Mzk5MDcxLCJhcHBpZCI6IjUzNzMyOTAwLTU2NGMtNGI2OS1hNGRhLTU0OTQ0ODVkYTFhNiIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzRmNGFkYjA3LWU5OWQtNDg5NC04OGZjLTZkYzc4ODAzNDI3Zi8iLCJ0aWQiOiI0ZjRhZGIwNy1lOTlkLTQ4OTQtODhmYy02ZGM3ODgwMzQyN2YiLCJ2ZXIiOiIxLjAifQ.WvWXETt9IFy_eX2Q8LlguTec9KA2TLgILUs10QULNMYgf1sHUpXdnRhDBqq5Foo_gwF_u2zl1NNYRLmdN3Q0IR3LPspiutAhC_KXvGXmJH2TtxTi9U2bt1Zvf5BsafHkxDdlDG6vymu-3O4cK9HQMu7l0XtPqzcEHcQny94xAq66_TSNa3FhZclwEBnaTI81B5g9NzvET10C0j8ZW0OsRNzc0-czS8RqtXulp1rkIEQc7VhTTDx9feSPi3BJlyhiKxUzfnEn8xUkfqlUEQuqyerqUoRIlbFvhhOT7Gjo6_WJN21Wn-23gcEchaRETWzYh-nTJSeKFzwA-mROOdmUzw
User-Agent: Guzzle/5.3.1 curl/7.50.0 PHP/5.6.25 Content-Length: 455
(note : I changed some characters in this displayed bearer by security reasons)
The (real) bearer was obtained requesting https://login.microsoftonline.com/{TENANT_ID}/oauth2/token, using this body :
grant_type=client_credentials&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&resource=https://management.azure.com/
Would you have an idea about the reason why the API returned this message ?
Thanks a lot !
The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant
It seems that your access token is not valid. I would suggest you follow with this article to get a new token then try again.
I have a facebook canvas app and I'm running both the same code and same redirect_uri for web and mobile, it works without issue in my web configuration but my mobile version doesn't. My app is a responsive app, so even the URLs within the facebook configuration are identical.
The method I'm using for both to generate the url
List<NameValuePair> qparams = new ArrayList<>();
qparams.add(new BasicNameValuePair("client_id", facebookClientId));
qparams.add(new BasicNameValuePair("redirect_uri", "https://apps.facebook.com/customdomain"));
qparams.add(new BasicNameValuePair("client_secret", facebookClientSecret));
qparams.add(new BasicNameValuePair("code", code));
uri = new URIBuilder()
.setScheme("https")
.setHost("graph.facebook.com")
.setPath("/oauth/access_token")
.setParameters(qparams)
.build();
website url https://local.mydomain.com:8443/test/facebook/auth
mobile url https://local.mydomain.com:8443/test/facebook/auth
Canvas URL
https://local.mydomain.com:8443/test/facebook/auth/
auth urls
https://local.mydomain.com:8443/test/facebook/auth/
https://apps.facebook.com/customdomain
App domain
https://apps.facebook.com/customdomain
Working url from website
https://graph.facebook.com/oauth/access_token?client_id=578152068997908&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fmydomain&client_secret=xxxx&code=AQBQ_VZlxKWqMfmC2neu8DIllor0Lrp1wvLvtSD5do3PyMfO_jxiEjcGEbZ-a0bEJbe6Ya9Noh9esXm2mgmgw0zP9OQOM-2h7VBYkruix0o7isKWwYkksFAi-i2qpUmTBcb0YxAqrn5y2aEWk8GxmhEVAgsW3GGLksNTndhZr3NYDs5Mi4GtmsjMKJbO8dTzePDrh4iSz_Qv0fmgalkDhIRmM7zsjodFPkytL4rlzG9Q4oN14qEhpBUmISnu8cAQcLvOlYACD17nFqhyq-BOVmX8PpUNRFdoHDk9KUTUv7c8PbfVGOBmWeJJKxWdZ0ncUu0
Non working mobile
https://graph.facebook.com/oauth/access_token?client_id=578152068997908&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fmydomain&client_secret=xxxx&code=AQBQ_VZlxKWqMfmC2neu8DIllor0Lrp1wvLvtSD5do3PyMfO_jxiEjcGEbZ-a0bEJbe6Ya9Noh9esXm2mgmgw0zP9OQOM-2h7VBYkruix0o7isKWwYkksFAi-i2qpUmTBcb0YxAqrn5y2aEWk8GxmhEVAgsW3GGLksNTndhZr3NYDs5Mi4GtmsjMKJbO8dTzePDrh4iSz_Qv0fmgalkDhIRmM7zsjodFPkytL4rlzG9Q4oN14qEhpBUmISnu8cAQcLvOlYACD17nFqhyq-BOVmX8PpUNRFdoHDk9KUTUv7c8PbfVGOBmWeJJKxWdZ0ncUu0
Response
InternalModule.PageLoader Loaded page 'facebook/Auth' (en) in 112.543 ms
response HttpResponseProxy{HTTP/1.1 400 Bad Request [WWW-Authenticate: OAuth "Facebook Platform" "invalid_code" "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request", Facebook-API-Version: v1.0, Content-Type: text/javascript; charset=UTF-8, Pragma: no-cache, Access-Control-Allow-Origin: *, X-FB-Rev: 1514665, Cache-Control: no-store, Expires: Sat, 01 Jan 2000 00:00:00 GMT, X-FB-Debug: WpyeYYw/BIs08HkafBWcrkbU5tICVgEHTKrPBAiTzZEqjgP3OGCP8eQwNVx2lx6b0iH9GGqIrir3S4iGu7VAIw==, Date: Tue, 02 Dec 2014 09:21:50 GMT, Connection: keep-alive, Content-Length: 190]}
facebook.FacebookAuth com.mydomain.test.pages.facebook.FacebookAuth 400 HttpResponseProxy{HTTP/1.1 400 Bad Request [WWW-Authenticate: OAuth "Facebook Platform" "invalid_code" "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request", Facebook-API-Version: v1.0, Content-Type: text/javascript; charset=UTF-8, Pragma: no-cache, Access-Control-Allow-Origin: *, X-FB-Rev: 1514665, Cache-Control: no-store, Expires: Sat, 01 Jan 2000 00:00:00 GMT, X-FB-Debug: WpyeYYw/BIs08HkafBWcrkbU5tICVgEHTKrPBAiTzZEqjgP3OGCP8eQwNVx2lx6b0iH9GGqIrir3S4iGu7VAIw==, Date: Tue, 02 Dec 2014 09:21:50 GMT, Connection: keep-alive, Content-Length: 190]}
facebook.FacebookAuth com.mydomain.test.pages.facebook.FacebookAuth
What could possible be causing this issue? Does it have something to do with canvas and mobile?
I am trying to pull back ratings from a user but am getting 401 unauthorized:
Request:
GET https://partner.api.beatsmusic.com/v1/api/users/<VALID USER ID RETREIVED USING ME ENDPOINT>/ratings?&offset=0&limit=20&access_token=<VALID ACCESS TOKEN USED TO GET USER ID> HTTP/1.1
Host: partner.api.beatsmusic.com
Connection: Keep-Alive
Response:
HTTP/1.1 401 Unauthorized
Content-Type: text/xml
Date: Mon, 14 Jul 2014 01:29:54 GMT
Server: Mashery Proxy
WWW-Authenticate: Bearer realm="partner.api.beatsmusic.com", error="invalid_token"
X-Mashery-Error-Code: ERR_403_NOT_AUTHORIZED
X-Mashery-Responder: prod-j-worker-us-west-1b-19.mashery.com
Content-Length: 23
Connection: keep-alive
<h1>Not Authorized</h1>
The access token is viable since I am able to use it to get other resources.
We were able to replace values in your URL and receive ratings. This is also a standard format: https://partner.api.beatsmusic.com/v1/api/users/[USERID]/ratings?access_token=[TOKEN]
I am trying to use the REST web services API from Google (Analytics) and I am getting a meaningless response instead of the expected data from Google Analytics.
Here is my request and the corresponding response:
GET /auth/analytics.readonly?ids=ga:12660456&start-date=2012-01-01&end-date=2012-02-02&metrics=ga:visits HTTP/1.1
Host: www.googleapis.com
Authorization: OAuth ya29.mytokenhere
HTTP/1.1 200 OK
status: 200
content-length: 18
x-xss-protection: 1; mode=block
content-location: https://www.googleapis.com/auth/analytics.readonly?ids=ga:12660456&start-date=2012-01-01&end-date=2012-02-02&metrics=ga:visits
x-content-type-options: nosniff
x-google-cache-control: remote-fetch
expires: Mon, 21 May 2012 19:52:57 GMT
server: GSE
via: HTTP/1.1 GWA
cache-control: private, max-age=0
date: Mon, 21 May 2012 19:52:57 GMT
x-frame-options: SAMEORIGIN
content-type: text/plain
-content-encoding: gzip
analytics.readonly
Can anyone please help?
Regards,
OAuth isn't performed by requesting the auth scope URL, like you seem to be doing. The only reason the Google's auth scopes are URLs at all are (AFAIK) so that they can be guaranteed to be globally unique.
More details about how to do OAuth 2.0 with Google here: https://developers.google.com/accounts/docs/OAuth2
This code works great for all browsers except Internet Explorer.
Basically when the redirect is sent to IE it just request the exact same URL again from my server, it just ignores the redirect.
Using the 3.1.1 code from Naitik Shah
Here's the code:
// $g_facebook is declared earlier and given app id and secret
$par[ 'scope' ] = array( 'publish_stream' , // publish to the user's stream
'offline_access' , // access these functions when the user is offline
// 'user_status' , // get the user's latest status
// 'read_stream' , // read the user's stream
'email' , // provides the user's email address
'user_groups' , // provides the user's groups
// 'sms' , // send and receive txt w/ user
'publish_actions', // publish scores and achievements
);
header( 'Location: ' . $g_facebook->getLoginUrl( $par ) );
exit( );
Here's what happens on the wire (picked it up with tcpdump):
GET /fork HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: fbar.toolsteam.com
Connection: Keep-Alive
Cookie: PHPSESSID=7f32d7e4acd63696bd8d0998913f608c; PHPSESSID=e30076106b21e40142397219283fd55f
HTTP/1.0 302 Moved Temporarily
Date: Mon, 07 May 2012 07:36:12 GMT
Server: Apache
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a9f17a1119dc262bef693d2d39a15317; expires=Tue, 07-May-2013 07:36:12 GMT; path=/
Location: http://www.facebook.com/dialog/oauth?client_id=336243633108439&redirect_uri=http%3A%2F%2Ffbar.toolsteam.com%2Ffork&state=b52dd5dd08e0058e28ae8734f269cd77&scope=publish_stream%2Coffline_access%2Cemail%2Cuser_groups%2Cpublish_actions
Content-Length: 0
Content-Type: text/html
X-Cache: MISS from base
X-Cache-Lookup: MISS from base:3128
Via: 1.1 base:3128 (squid/2.7.STABLE9)
Connection: keep-alive
When IE sees the 302 it just sends the original request again and again. It never follows the redirect to facebook.
As said before, Chrome and Firefox have no problems.
Ideas?
The answer was in the request headers:
Cookie: PHPSESSID=7f32d7e4acd63696bd8d0998913f608c; PHPSESSID=e30076106b21e40142397219283fd55f
There are two servers involved in this facebook auth, one is the originating website, the second is an intermediate server that negotiates the facebook permissions. The facebook server is a sub-domain of the primary site.
Turns out both of them were starting php sessions. The facebook server's cookie was at the sub-domain scope, the primary site's cookie was at the top-domain scope.
For whatever reason IE couldn't handle sending the same cookie twice on a request to the facebook server - it handled the transaction just fine but for whatever reason would just re-request the same URL and ignore the 302 redirect. IE is like that.
I switched the session variable name on the facebook server and the problem disappeared.