I have been trying to gain authorization from the Google Calendar API on my site so that I can access user calendar data. When I issue an HttpResponseRedirect from the desired view on my site via Django (to send the user to Google so they can provide the necessary permissions), the redirect works as expected. The issue is that on Google it's returning "error 403: access denied", along with a message stating that the developer must authorize my account before I can use the API (I'm trying to use a different Google account to log in for the purpose of testing). I've poked around the Google API site, but can't find where this authorization occurs. Any idea of where I might find this?
Full Specific Error Message.
Was able to fix it by adding additional test users on the Google Cloud Platform (console.cloud.google.com). Navigated to the relevant project under the dropdown in the top left corner, then from there clicked the "OAuth consent screen" tab on the left hand side. You should see the option there to add users under the "Test users" header
Related
I use google Ouath2.0 with passport.js in my Next.js/Node.js web-app. Registering and logging in works as expected. However, anyone with a google account is able to register, regardless of being in the test users list. The app is unpublished, and so only test users registered by me in the Oauth Consent screen should be able to register and login.
Does anyone know how to fix this? As far as I have understood it, login when not registered as a test user should simply fail. I have seen this asked elsewhere with no answers, and I am not able to contact google as that requires a paid support level.
I had a quick look at this and observed the same (incorrect) behavior; I too was unable to restrict authenticated users to the list of test users:
Created Apps Script Web app (for a quick win)
Associated a Cloud Platform project with it
Enabled Gmail API in the project and added one of its "restricted" scopes
Added one Google account to test users
I was able to login using the test user and any other Gmail account regardless of whether I included a Gmail restricted scope.
One thing I observed but am unable to explain is that I was not presented with the app's (project's) OAuth Consent Screen. Each time I logged in (incognito), I was prompted by the standard Google login screen only. I expected to be prompted by the OAuth Consent Screen before accessing the app. This likely explains why identities aren't being limited to the test users but I'm unsure why I'm not seeing the consent screen.
Even without Google paid support, you may file issues like this using Google's public issue tracker and these will be seen by Google Engineering.
I recommend you file under "Cloud Platform > Security & Identity" and let someone within Google triage:
https://issuetracker.google.com/issues/new?component=187167&template=1162765
Is there a way to see what project relates to an OAuth client ID? That or is there a way to show all projects and all their credentials if we're G Suite admins?
We have an OAuth client ID but can't seem to find where it's origin is from :/
You can use the following URL:
https://console.developers.google.com/apis/credentials/oauthclient/[your-client-id]
If you open it, replace your-client-id with your own Client ID, Google Cloud will manage to find the project it belongs to.
Then, there are two scenarios:
If your account has enough permission to manage that Client ID, you will see the settings page of your OAuth app. The project it belongs to will be in the upper left of the Google Cloud console.
If your account doesn't have enough permission, the Google Cloud console will throw an error saying something like: There was an error while loading /apis/credentials/oauthclient/[client-id]?project=[project-id]&folder=&organizationId=. Please try again. to view the page, you will see which project it belongs to.
So you can still have the project-id if you don't have permission to manage the Client ID.
Hope this helps.
The current state of using Instagram for Oauth2 login for mobile/web apps is not clear to me.
The old Oauth system appears to be no longer accepting new apps. The new Instagram Basic Display API also states explicitly:
You can't use the API to create user accounts or log your app users into your app
https://developers.facebook.com/docs/instagram-basic-display-api/
It appears that the minimum scope is user_profile, but when I try to use that scope I get an invalid scope error that does not reflect the requested scopes.
{"error_type": "OAuthException", "code": 400, "error_message": "Invalid scope: []"}
It appears that there is also extensive requirements for accessing this API like submitting a passport photo. The documentation also makes it sound like Instagram Basic Display API will not work with business or creator accounts, making it sound as if the API is now fragmented.
And finally there are Instagram Testers for sandbox accounts under Roles... but when you select an account it says "accountname (pending)" and provides no instructions for how to accept an invite, and if you visit instagram.com/developers with the test account and click "Sandbox invites" there is nothing there, and the user does not receive any kind of email.
Can anyone shed light on the current status of using Instagram for Oauth2 for the purposes of authenticating login into a mobile/web app?
Other reading: https://community.auth0.com/t/instagram-login-is-deprecated-and-the-documentation-on-auth0-is-broken/24122/20
For the Tester Invite:
Login to Instagram on a desktop
Click the person icon on the top right-hand side
Click the Cog icon next to Edit Profile
Select Authorized Apps in the popup
Select Tester Invites tab
Click Accept for your app
Once you accept the tester invite, the invalid scope error will hopefully go away.
I have some previous experience with the youtube and youtube analytics api where there was an option to use https://developers.google.com/oauthplayground/ to essentially create an offline situation for your own user account api access. By creating the key in the developer console you could add that to a custom oAuth credentials. The user account you were logged into would then generate the access token and refresh token needed. I do not see Google Photos API listed as an option here. I would prefer not to create a website just to get a prompt once (myself).
Any help would be greatly appreciated.
If you are specifically after a token to make your own requests to the API, you can still use the OAuth 2.0 playground. You can enter your own scope in the tool under step 1, just below the list of scopes on the left side. (The text box is labelled "Input your own scopes".)
Here you can manually enter a scope that's listed on the "Authentication and authorization scopes" page in the Google Photos Library API developer documentation.
In step 2, you can access a refresh and access tokens and construct your own request in step 3. Note that you won't be able to List possible operations for this API.
Note that you can also specify your own OAuth client ID and client secret from your own Google developers project. You can find this under the "settings" icon on the right, under "Use your own OAuth credentials". Otherwise, tokens are automatically revoked by the playground after a certain amount of time.
However - If you just want to explore the API through the playground, you can use the version that's embedded in the reference documentation. You can find it on each page for a method, for example mediaItems.list. This version includes support for all API methods and makes it easy to construct correct API requests.
As described in the marketing API, I have registered an app got my app key and and id, generated a token with ads permissions, list pages permission as well. The app is not yet submitted for approval.
When I try to get the list of ad accountsz linked to 'me' it returns the array of all ad accounts.
But when I select any of the business accounts (other than my personal Facebook account) and try to retrieve the ads insights API throws exception saying:
but when I try to get the insights, using the python SDK, I get the same error, ex: (#273) This Ads API call requires the user to be admin of the ad account. User is not admin on ad account .
What is surprising is when I use the similar sample page from Facebook-Developers to get insights, it is able to retrieve the ads data for the same account, with my own login itself.
Why would my app be unable to do so?
Is there any such limitation for apps not reviewed?
Update: I seem to have admin access to the ad account as well. Here are some screenshots. (Unless its my dumb day I think something else is going on, but its my fist time with an API like this, so I cant be sure!;) )
Screenshots: GraphAPI Explrer with API call, App Settings, AdAccount Settings
Based on the discussion on question and experience I now have:
API user needs to be an admin of the ad account and of the app if you
wish to use the API.
The ad account needs to be specifically added to the app, in app settings. In developer access an app can only have access to a maximum of 5 ad accounts.
Error messages in Facebook API are misleading more often than not. Fix anything marked in yellow or red anywhere in the portal, to be
sure.
Do read about limits of every API before you use it, all API have different limits and your application design needs to take those into account.
As for the question, yes the issue was the text in red, as pointed out by #CBroe, although the error message was off by a mile and issue occurred only when using our own app.