Our organization uses SAML for SSO into Google Apps. In order to use SSO we must manage the change password functionality through APIs. Since the Provisioning API has been deprecated in favor of the Admin SDK Directory API, I am developing against this API.
The flow I am developing is that the end user will login using Google OAuth2 into my application. Then, using the users access token I am attempting to call the https://www.googleapis.com/admin/directory/v1/users/ API to put a new password, but I get an error 403 "Not Authorized to access this resource/api".
My question is, what privilege is required for the user to be able to update their own password? When calling this API with GET I am able to retrieve my user information successfully, but trying to put a new password (or any other field for that matter) fails.
Here is an example of my request and response:
Request:
PUT https://www.googleapis.com/admin/directory/v1/users/user%40domain.org?key={YOUR_API_KEY}
Content-Type: application/json
Authorization: Bearer ya29.AHES6ZT_7onp48edpClD72X-*************************
X-JavaScript-User-Agent: Google APIs Explorer
{
"password": "wlKsf.##2af"
}
Response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Only super admins, delegated admins and resellers can access the Admin SDK Directory API.
I suggest creating a delegated admin that only has access to update users via the API and then having your web application utilize an OAuth token created for this delegated admin.
Related
I am trying to integrate my catalog into google recommendations ai, and for debugging purposes I want to be able to delete items from the catalog once imported. The documentations suggests running the following code:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
"https://retail.googleapis.com/v2/projects/[PROJECT_NUMBER]/locations/global/catalogs/default_catalog/branches/0/products/[PRODUCT_ID]"
which returns the following error:
{
"error": {
"code": 403,
"message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the retail.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "SERVICE_DISABLED",
"domain": "googleapis.com",
"metadata": {
"service": "retail.googleapis.com",
"consumer": "[redacted for privacy]"
}
}
]
}
Running the suggested code with the --impersonate-service-account flag, results in the same error as above, but preceded with
WARNING: Impersonate service account '[name redacted for privacy]' is detected. This command cannot be used to print the access token for an impersonate account. The token below is still the application default credentials' access token.
If I attempt to log in for authorization instead of printing an access token, I get the following error:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
The link provided is no longer working. I would like to know how to provide proper authorization/authentication for deleting an item from the recommendation ai catalog.
PS. The account I am using to do this is the owner of the project, and as such should have all the appropriate permissions.
To set up authentication for your application of local cURL request to Recommendations AI. You have to create a Service Account, download SA key, and set the environment variable 'GOOGLE_APPLICATION_CREDENTIALS' to the key so allow your local cURL request noted in the original description
If you are unable to download a SA key file, I kindly suggest to try to use a ! before the curl like this, !curl -X POST , also if you are familiar with Python, it's recommended to use the python library for Recommendations AI.
While working with the Facebook Workplace API liking an object (post, comment, photo..etc) can be done by passing the Admin Access Token, I'm trying to figure out how to do it on behalf on the user for a feed / comment posted into a group.
The docs mention getting the Page Access Token to perform this action but a Group doesn't have an Access Token & doesn't really solve what I'm going for anyway.
I've tried getting the User Impersonation Token from the API using the Admin Token but posting to the likes graph endpoint results in a publishing error.
POST /https://graph.facebook.com/{COMMENT-ID or POST-ID}/likes
HEADERS: Authorization Bearer "{IMPERSONATION-TOKEN}"
Error Response:
{
"error": {
"message": "(#3) Publishing likes through the API is only available for page access tokens",
"type": "OAuthException",
"code": 3,
"fbtrace_id": "CGpXtFWrwiA"
}
}
Again this works fine using the Admin App Access Token but not on behalf of the user. Also a group doesn't have an access token unlike a regular FB Page.
Any help on this would be great!
I'm trying to list the Ads for a Facebook Page using the Graph API /{page-id}/ads_posts endpoint, but I get a permissions when I try to.
Using the Graph API Explorer, I generate an Page Access Token with those permissions: email, read_insights, manages_pages, pages_show_list, ads_read, business_management, instagram_basic, instagram_manage_insights and public_profile.
I'm an admin on the Page itself, the attached Business Manager and on the corresponding Ad Account.
Every time I try to call the /{page-id}/ads_posts, I receive
{
"error": {
"message": "(#200) Not enough permission to call this endpoint",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "XXXXX"
}
}
I can't find any help on the Facebook documentation or Google, given that the error isn't really meaningful (in some cases, I get a message saying that a specific permissions is missing, but not here). Anyone can help ?
EDIT: I tried to add the ads_management permission too, without success.
You need to add those pages to your app that is in development mode (https://www.facebook.com/settings?tab=business_tools).
We are planning to use WSO2 Identity Server as the identity provider for multiple websites and apps. Whenever a new member will register with our website, we will create a new user in WSO2 Identity Server which will then authenticate the users. I am planning to use SCIM REST APIs to create/update users in WSO2.
I was able to successfully retrieve the list of users from WSO2 by making GET request to this endpoint. So there is no issues with access permission.
https://identityserver:9443/wso2/scim/Users
But when I tried to add a new user (POST) I received the error below:
{
"Errors": [
{
"description": "Error in adding the user: mj100#jackson.com to the user store. Cannot access the directory context or user already exists in the system for user :mj100#jackson.com",
"code": "500"
}
]
}
My request had a payload as below:
{
"schemas":[
],
"name":{
"familyName":"Jackson",
"givenName":"Michael"
},
"userName":"mj100#jackson.com",
"password":"HiMike100",
"emails":[
{
"primary":true,
"value":"mj100#jackson.com",
"type":"home"
}
]
}
I received a similar error when I tried to update an user in WSO2 admin (carbon) portal:
Error while updating profile of abcd#test.com. Error is: One or more attributes you are trying to add/update are not supported by underlying LDAP for user : abcd#test.com
I am clueless on how to resolve this issue and why WSO2 will not allow me to update an user neither via console or via SCIM API.
I am using WSO2 Identity Server 5.1.0
Have you enabled using an email address as a username ?
https://docs.wso2.com/display/IS510/Using+Email+Address+as+the+Username
I am working with the Google Directory API to retrieve all of the groups that a person is part of for role based privileging in the app I'm working on.
https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups#get_all_member_groups
Our Admin is able to successfully retrieve a list of groups that he is a part of, using the API Explorer, but I am not. I am getting the error below and I'm assuming it is because I am not an Admin.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
How do we retrieve the groups a user belongs to? Is there any way to supply an Admin Credentials to retrieve the groups a user belongs to?
There's no way for regular users to programmatically retrieve their group membership. I'd recommend creating a delegated admin with priveledges to read groups via the API but nothing else. Also, when doing the OAuth 2.0 request, only the readonly groups scope is needed. Share these credentials with any users that need to get their group membership or have your app make the api call as the delegated user on their behalf.