I maintain an application that accesses calendar, tasks, etc. of Google Apps users. I have no trouble getting OAuth 2 working for that data. Now I'm trying to add access to calendar resources, but when I GET the appropriate URL, the result is http 403 forbidden. I have added this scope to the list of allowed scopes in my Google Apps account:
https://www.googleapis.com/auth/admin.directory.resource.calendar
And also added that to the scope that is used to generate the Claimset and JWT. I receive the authorization code as usual. My GET looks like this:
GET /admin/directory/v1/customer/my_customer/resources/calendars?access_token=ya29.GmyhBqkDSNQuaMKqoWeSo9-jBf1-lRLTMWx_4V8oTLR6yH8T09jqcMoOMVwUwZFEgt2E7vBhvcR8c2-_vV_i3Lh3eHYpE-Ks9HCXOWZvMylNNH7xEHMQ0jZb8o0z5cruHZkrytqawwBmOwKLHG4 HTTP/1.1
User-Agent: comaxis-agent/1.0
Host: www.googleapis.com
Accept: */*
GData-Version: 3.0
I can use that auth code to access my other data without problem, but the resource URL just doesn't work. It did work in the online API Explorer, but obviously I need my code to work. Any idea what I'm doing wrong?
Related
I have an API Gateway configured and deployed. If I make a GET request to one of its staged endpoints, for example https://1234567890.execute-api.us-east-1.amazonaws.com/dev/doc, I get a 200 OK response.
If I take a look at the Custom Domain Names section and supplant the URL found there into my request, for example abcdefghijkl-f4cwy0d1u5.execute-api.us-east-1.amazonaws.com to make https://abcdefghijkl-f4cwy0d1u5.execute-api.us-east-1.amazonaws.com/dev/doc, I get 403 Forbidden.
Am I wrong in thinking that I should be able to make a request to the domain name - and thus use the API's Custom domain name in a CNAME record - or does the 403 indicate that a specific configuration item is missing?
you can find some response headers that come together with your 403 error here: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/
this might help you to find which error you are facing!
TL;DR: When getting 403 Forbidden with API Gateway and using the Custom domain name it's important to trim the stage name because API Gateway is routing the custom name to that stage.
Using the documentation provided by #leoandreotti I was able to identify the response header:
x-amzn-ErrorType: ForbiddenException
For this, the documentation states:
Invoking a REST API that has a custom domain name using the default
execute-api endpoint - The caller uses the default execute-api
endpoint to invoke a REST API after disabling the default endpoint.
This made me think back to a header I had been recommended to use by a colleague - the Host header.
So, I added the header back into the request and got this:
x-amzn-ErrorType: MissingAuthenticationTokenException
For which the docs state:
Resource path doesn't exist - A request with no "Authorization" header
is sent to an API resource path that doesn't exist.
But the path /dev/doc absolutely does exist. Then I realised that the /dev portion is actually the stage name.
So I trimmed the /dev portion from the path and got 200 OK - then I removed the Host header and also got 200 OK!
Thanks #leoandreotti
I was trying to use my api and I have a function on ember app to login but when the login action is trigerred I receive a message below. What is the reason I am receiving this error?
login:1 Access to fetch at 'https://app-dev.some-url.com.au/api/login' from origin
'http://localhost:4099' has been blocked by CORS policy: Response to preflight request doesn't
pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested
resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch
the resource with CORS disabled.
Your API server isn’t configured to accept requests that come from a web application on another origin. Some options:
Configure your API to serve the Access-Control-Allow-Origin header
on the OPTIONS request that the browser makes to test this. It
could be Access-Control-Allow-Origin: * if you’re lazy or can’t
know in advance what origins people will be coming from. It’s hard
to be more specific about this without knowing details of your API.
Use Ember CLI’s API
proxying
feature to bypass the need for CORS. This is for development mode
only, though. You’d need a similar solution in production where
Ember CLI’s development server isn’t present.
My app is an Ember.js front end with a Go API on the server. I created the Ember app using the FixtureAdapter. Now that I have the Go API back end I converted it to RESTAdapter.
When I hit my API directly with the browser, I seem to get the appropriate CORS headers back:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin,x-requested-with
Access-Control-Allow-Methods:PUT,PATCH,GET,POST
Access-Control-Allow-Origin:*
Access-Control-Expose-Headers:Content-Length
However, when my Ember.js app hits the API, I get XMLHttpRequest cannot load https://192.168.59.103:8001/notifications. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://192.168.59.103:9000' is therefore not allowed access..
I don't know how else to see what's going on between Ember and the API. I've read this CORS tutorial and everything seems to be okay on the server end.
I included the bit about x-requested-with because of another Stack Overflow question suggesting that jQuery requests need something different than plain old JavaScript requests.
Your endpoints also need to respond with CORS headers to OPTIONS requests- those will execute before the actual request to make sure that the request is allowed first.
Do you happen to be using Nginx as your reverse proxy for your API? If so, we experienced this same issue. In our case, the problem was that Nginx returns the correct CORS headers just fine for HTTP 200 OK responses, but for any error response, it will fail to add the COR headers and therefore the actual server response gets obscured by the browser complaining that it doesn't have the appropriate CORS headers to render a response.
See https://serverfault.com/a/431580/199943.
Even if you're not using Nginx, try calling your API directly (e.g. using Postman to avoid the CORS restrictions to see what it's returning. If your API is returning anything other than an HTTP 200 OK, that may be why the CORS headers aren't getting added.
I am trying out WSO2 api manager.
The sample api I am using is:
http://www.thomas-bayer.com/sqlrest/CUSTOMER
The hosted api url is
https://localhost:8243/customer/1.0.0/1
When I invoke the internal url, I see following headers in outbound message
GET http://www.thomas-bayer.com/sqlrest/CUSTOMER/1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.thomas-bayer.com
Connection: Keep-Alive
User-Agent: Synapse-PT-HttpComponents-NIO
However, I get following message
Connection closed by target host before receiving the request
If I access the url (http://www.thomas-bayer.com/sqlrest/CUSTOMER/1) directly, it works.
Any idea why this might be happening?
I believe the way you are defining URL pattern is incorrect in API Manager Publisher while publishing the API.
This is how I managed to do it,
Create two GET methods with URL pattern as follows
/{id} - This works as a path parameter therefore when calling the API you can pass the customer ID after the "/"
/* - This gives the list of customers
Use "http://www.thomas-bayer.com/sqlrest/CUSTOMER" as your production Endpoint
After defining above way,
You can call the API with "h ttps://localhost:8243/customer/1.0.0" which gives the list of customers
To view a specific customer details you can use the endpoint as "https://localhost:8243/customer/1.0.0/1" which works as a path parameter
I am trying to retrieve a public Facebook photo album for display on a website.
I can access the list of photo albums and the individual albums using Facebook Graphc without getting an Access Token
see https://graph.facebook.com/vailresorts/albums
I've tried that from 4 different servers on different networks, none are logged on to facebook, and it works fine. However, when I put it on my test server, it doesn't work and I get the
OAuthException - An access token is required to request this resource.
error.
I'm wondeirng why that is, requesting that url from different places give different results?
I was understanding that if the album is public, I don't need an App Id and App Secret.
Is this not true?
Request header:
Request URL:https://graph.facebook.com/vailresorts/albums
Request Method:GET
Status Code:200 OK
Request Headersview source
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
accept-encoding:gzip,deflate,sdch
accept-language:en-US,en;q=0.8
cache-control:no-cache
host:graph.facebook.com
method:GET
pragma:no-cache
scheme:https
url:/vailresorts/albums
user-agent:Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.31 (KHTML, like Gecko)
Chrome/26.0.1410.64 Safari/537.31
version:HTTP/1.1
Just to throw in a 'me too' and the failures are not with every request. This bug may be related:
https://developers.facebook.com/bugs/410815249017032
I get the error:
{"error":{"message":"An access token is required to request this resource.","type":"OAuthException","code":104}}
Edit: sorry, didn't mean to answer, but wished to provide as a comment. Ignorant yet on how to do that.
Update: I filed a new bug attempting to get their attention https://developers.facebook.com/bugs/444360005657309