We're using Google Analytics API in our application and perform actions (read data) on behalf of our users (we get their tokens via OAuth2). We use a client id and client secret to authorize our Google API project (application).
The problem is that we're unable to reach this project in Google's developer console, because the user in our Google App account who created this project was deleted. Regardless, the Google API still works (we have the key and the client secret) but we're unable to reach it in the admin section in the browser, but we can't access it because the owner was deleted.
What are the options to recover access to this API project? Is it possible to transfer ownership of this project using Google API? It's running in production so we can't afford to generate a new API project.
Is it perhaps possible to generate a new API project by keeping all our users consents (they authorize their accounts using an authorization popup in our web app)?
EDIT: it's also possible the user still exists, but we don't know who's the owner. Is it possible to retrieve this info using the app's api key/secret?
How to find out who owns your credentials.
Authenticate your application the pop up window will appear. Click on the name of the application the little arrow and a drop down will apear with the email address of the developer who owns the project.
If you have lost access to this account i am not aware of any way of getting access back. However for the sake of curiosity i am going to contact someone at Google and find out if they have a procedure for account recovery or not. I will update this when i hear back.
If the account that has a credential was a gsuite user then we can transfer the project to the admin of the domain.
Have the admin of the GSuite contact me with information on the project, client id, email of the user who was deleted. We can then add the admin of the gSuite as the owner of the project.
From the question, this was likely a gsuite user because even after the account is deleted, the project was not deleted.
Related
I am having trouble with the error shown in the image. Does anyone know how to solve this problem?
I would like to obtain a refresh token to use the "YouTube Data API v3".
I tried the following behavior.
Create a WEB type Client ID in the GCP console in advance.
Access https://developers.google.com/oauthplayground/, set the client ID and client secret in "1.", select https://www...../youtube and https://www...../youtube.upload from YouTube Data API v3, and then Authorize APIs execution.
When asked which account to use for OAuth
If you select my brand account, Google will block it as shown in the image.
[What I tried to solve]
The newly created Google account was able to obtain a token.
→ However, I really need to use the Youtube API with a branded account I already have.
I have tried turning on "Less secure app access" in the security settings of my branded account, but this did not solve the problem.
The target brand account is not managed by GoogleWorkspace.
Any information would be appreciated, I will provide any information needed, so if anyone knows anything, please help me.
I use google Ouath2.0 with passport.js in my Next.js/Node.js web-app. Registering and logging in works as expected. However, anyone with a google account is able to register, regardless of being in the test users list. The app is unpublished, and so only test users registered by me in the Oauth Consent screen should be able to register and login.
Does anyone know how to fix this? As far as I have understood it, login when not registered as a test user should simply fail. I have seen this asked elsewhere with no answers, and I am not able to contact google as that requires a paid support level.
I had a quick look at this and observed the same (incorrect) behavior; I too was unable to restrict authenticated users to the list of test users:
Created Apps Script Web app (for a quick win)
Associated a Cloud Platform project with it
Enabled Gmail API in the project and added one of its "restricted" scopes
Added one Google account to test users
I was able to login using the test user and any other Gmail account regardless of whether I included a Gmail restricted scope.
One thing I observed but am unable to explain is that I was not presented with the app's (project's) OAuth Consent Screen. Each time I logged in (incognito), I was prompted by the standard Google login screen only. I expected to be prompted by the OAuth Consent Screen before accessing the app. This likely explains why identities aren't being limited to the test users but I'm unsure why I'm not seeing the consent screen.
Even without Google paid support, you may file issues like this using Google's public issue tracker and these will be seen by Google Engineering.
I recommend you file under "Cloud Platform > Security & Identity" and let someone within Google triage:
https://issuetracker.google.com/issues/new?component=187167&template=1162765
Is there a way to see what project relates to an OAuth client ID? That or is there a way to show all projects and all their credentials if we're G Suite admins?
We have an OAuth client ID but can't seem to find where it's origin is from :/
You can use the following URL:
https://console.developers.google.com/apis/credentials/oauthclient/[your-client-id]
If you open it, replace your-client-id with your own Client ID, Google Cloud will manage to find the project it belongs to.
Then, there are two scenarios:
If your account has enough permission to manage that Client ID, you will see the settings page of your OAuth app. The project it belongs to will be in the upper left of the Google Cloud console.
If your account doesn't have enough permission, the Google Cloud console will throw an error saying something like: There was an error while loading /apis/credentials/oauthclient/[client-id]?project=[project-id]&folder=&organizationId=. Please try again. to view the page, you will see which project it belongs to.
So you can still have the project-id if you don't have permission to manage the Client ID.
Hope this helps.
I am trying to create a process that will create users in g suite using Java.
The Google documentation is a little bit confusing for me but I manage to create a G Suite user on localhost. The problem is when I deploy de application on a specific id the redirect URL for auth doesn't work anymore.
I manage to do this by adapting this quick start: https://developers.google.com/admin-sdk/directory/v1/quickstart/java
My question is related to google popup. How can I prevent this popup, is there a way to use a simple secret key?
If not how can I configure my application from google console to allow multiple sites to receive the auth token?
Thank you
You cannot create new users in Gsuite without OAuth2. When you run the quickstart program it will open a new tab and asked for Authentication & Authorization. Once you complete the Authorization it will store the token in your project folder. When you add users to Gsuite(you need to write code using documentation) it will use that token (Access token). It will not ask for authorization again. So you need to authorize your application in order to create users in Gsuite. In case you delete that token, it will ask to Authorize the application.
As described in the marketing API, I have registered an app got my app key and and id, generated a token with ads permissions, list pages permission as well. The app is not yet submitted for approval.
When I try to get the list of ad accountsz linked to 'me' it returns the array of all ad accounts.
But when I select any of the business accounts (other than my personal Facebook account) and try to retrieve the ads insights API throws exception saying:
but when I try to get the insights, using the python SDK, I get the same error, ex: (#273) This Ads API call requires the user to be admin of the ad account. User is not admin on ad account .
What is surprising is when I use the similar sample page from Facebook-Developers to get insights, it is able to retrieve the ads data for the same account, with my own login itself.
Why would my app be unable to do so?
Is there any such limitation for apps not reviewed?
Update: I seem to have admin access to the ad account as well. Here are some screenshots. (Unless its my dumb day I think something else is going on, but its my fist time with an API like this, so I cant be sure!;) )
Screenshots: GraphAPI Explrer with API call, App Settings, AdAccount Settings
Based on the discussion on question and experience I now have:
API user needs to be an admin of the ad account and of the app if you
wish to use the API.
The ad account needs to be specifically added to the app, in app settings. In developer access an app can only have access to a maximum of 5 ad accounts.
Error messages in Facebook API are misleading more often than not. Fix anything marked in yellow or red anywhere in the portal, to be
sure.
Do read about limits of every API before you use it, all API have different limits and your application design needs to take those into account.
As for the question, yes the issue was the text in red, as pointed out by #CBroe, although the error message was off by a mile and issue occurred only when using our own app.