I am trying to get contacts of another user using Google Service Account. I even set the user credentials to the username and password of the account for which I want to fetch the contacts. However, I keep getting an error - Exception in thread "main" com.google.gdata.util.ServiceForbiddenException: Cannot request contacts belonging to another user
Initially I was using admin account to get the contacts of another user for which I kept getting a Forbidden error. I was told that service accounts will work in this case.
Can anybody please help? Is it really possible to get the contacts of another account with service accounts or any other method? If yes, any idea why I must be getting this error?
If you want to access a user's contacts using a service account, you need to do three things (see https://developers.google.com/accounts/docs/OAuth2ServiceAccount):
Create a service account in the Google Developers Console.
Delegate domain-wide authority to the service account using the domain’s Admin console.
(Necessary to access contacts:) Impersonate the user by specifying the email address of the user account with the setServiceAccountUser method of the GoogleCredential factory.
For example:
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(emailAddress)
.setServiceAccountPrivateKeyFromP12File(new File("MyProject.p12"))
.setServiceAccountScopes(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN))
.setServiceAccountUser("user#example.com")
.build();
The error message Cannot request contacts belonging to another user suggests that you forgot the last step.
You can only get access to other people's contacts using Service Accounts if your Service Account client gets white listed at the domain level. In other words - you can't arbitrarily get others' contacts across domain boundaries without some admin access.
The simplest option is to use the OAuth 2 web server or client side flows - where each user has to authorize your data access.
Related
Actually i want do it in this way when user sign up with fake email. user can't verify this email.So the email should automatically deleted from firebase authentication after fixed time.
There is nothing built into Firebase Authentication to auto-delete accounts like that. I'd also consider what you actually gain by such functionality, as the user can just recreate their Firebase Authentication account by calling the same API again.
You'll typically either want to:
disable their account, which prevents them from signing in/signing up with it. This can be done through the Firebase Admin SDK, by first getting a list of all users, and then disabling the relevant ones.
only grant them access to your back-end services if they've verified their email address (within a certain amount of time). How to do this depends on your backend services though.
I am trying to get the impersonated userguid from the docusign api. Per the documentation I need to call /restapi/v2/accounts/account_id/users?email=email, which is not working for me. I assume the full url would be https://admin.docusign.com/restapi/v2/accounts/account_id/users?email="sampleemail#gmail.com" .
I am getting a 404 when entering my email in the above format.
Looks like you have the incorrect domain. API Calls generally don't get made against admin.docusign.com. You'll want to make that call against the Application Server your account is on.
In the Sandbox environment that will be demo.docusign.net. In prod you'd need to make a UserInfo call to determine which server your account is on. It could be something like www.docusign.net or na2.docusign.net, but there are several possible domains.
In order to get Impersonate GUID ,
Login to admin account
Under setting options Click API and keys
Value under the user id text box is Impersonate GUID
During configuration & setup:
1. You have an account admin enter information such as account, their userId ("API User Name" in web app). Save both items.
2. You follow the "consent flow", get their consent, generate a JWT and
exchange for a token.
3. Use the /user_info call against the account
server to get the list of their accounts. If more than one account
in the array, find the one that matches what they entered in the
configuration. Get and save the associated "base_uri". You will
use that for all subsequent API calls.
Your application now has stored the account ID, the admin's "userId", and the base URI to built API URLs.
During business application operations:
Admin is "Bob". Sender is "Jill"
You need to get an access token for Jill.
1. Create JWT for Bob, exchange for access token, make GET /users?email={Jill's email). This gives you Jill's "userId".
2. Create JWT for Jill, exchange for access token.
3. Make API call as Jill, using her access token.
I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.
My Facebook application has a few thousand users but they have not visited the application for a long time and I don't have access tokens for them. I do have their uid's.
How could I make contact to my application users?
I used to use the Notification.sendEmail but it is now deprecated and won't send any emails. I have email permission for all of the users but I didn't store the users email address earlier because I used that function. I should have stored the addresses.
I have understood that all use of new Graph api require access token. So my option would be to use the old Rest api. But is there a method that could be used in a situation like this?
You should be able to still retrieve the email addresses of the users who granted your app the email Permission if they haven't subsequently removed it - you can do this with the App Access Token (see the Authentication docs for more info)
Make a call to /<USER ID>?fields=email to get the address