Google APIs - removing auth scope - javascript

I'm changing scopes in an app for Google Classroom. I remove from courses .readonly and added student listing
var SCOPES = "https://www.googleapis.com/auth/classroom.courses https://www.googleapis.com/auth/classroom.coursework.students";
I get this error when requesting students even after logging out and attempting to re-authenticate:
Request had insufficient authentication scopes
It seems the token has been cached somewhere.
This Github issue, although for Google Sheets, says the token is in Documents/.credentials/ folder. I don't have this folder though on my Macbook Pro Sierra 10.12.6.
Where can I find that folder and remove the saved scopes so it reauthenticates and accepts my new scopes?

If you change the scopes needed in your application then the user will need to authenticate your application. especially if you go from a read-only scope to a read write scope. This is because you need additional permissions then what you had originally requested. List of google classroom scopes
Assuming that you are using the Google .net client library then you can find the user credentials in the %appdata% folder on your machine. By deleting that fine you can force a authentication. I am guessing that you are since this is the github project you have linked to.
Note: there should be a way of forcing reauth via code but i cant remember the command right now i will have to look it up.

Related

I need a way to get updated oauth tokens for google photos

I'm currently working on an application for myself in which I need access to my own photos/albums on Google Photos. I have gotten by using the oauth 2.0 token generated in the playground, but I'd like to get a more permanent solution that does not require me manually regenerating the token. Is this possible with Google Cloud? The app is meant to run in daemon, so this makes any option with consent pages unusable. The scopes I'm using are:
https://www.googleapis.com/auth/photoslibrary.sharing
https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata
https://www.googleapis.com/auth/photoslibrary.readonly
I have tried using the https://accounts.google.com/o/oauth2/token and https://accounts.google.com/o/oauth2/auth endpoints to generate one programatically, but the only minor success I had was /auth sending me to a consent screen. I've also looked at using the refresh token given by Google Oauth playground with no luck there either.
Just looking to see if there is anything that I am missing.. This is my first post on stackoverflow, so please let me know if you need any more information.
I was unable to make it an internal app as it was for personal use and not for an organization.
Solved this by first using the google api package to create my own access/refresh token for my oauth client, then calling the https://oauth2.googleapis.com/token endpoint each time to generate a valid access token. I hope this can be helpful to someone else!
According to the setup documentation, as long as your app is marked as internal, you should not need to verify the app and can use it without the consent screen.

My bot cannot access to blob storage account with a system assigned managed identity

I'm exploring using Azure blob storage with my bot. I'd like to use it as a persistent store for state, as well as storing transcripts.
I configure the BlobStorage object like this:
storageProvider = new BlobStorage( {
containerName: process.env.BlobContainerName,
storageAccountOrConnectionString: process.env.BlobConnectionString
} );
As sensitive information is stored in these files, especially transcripts, I'm working with my team on securing the storage account and the container within it.
We have created a system assigned managed identity for the application service hosting the bot, and we have given this account the 'Storage Blob Data Contributor' role. Which, as I understand it, provides read, write and delete access to content stored.
Unfortunately when the bot tries to access the storage the access attempt fails. I see the following error in the 'OnTurnError trace':
StorageError: Forbidden
Interestingly running the bot locally with the same blob storage connection string works. Suggesting that this issue is related to the service identity and/or the permissions that it has.
Does anyone know what could be causing the error? Are more permissions required to the storage account? Any thoughts on increasing the logging of the error to potentially see a more detailed error message is also most welcome.
At this moment in time I do not believe that the framework supports using a system assigned managed identity for access to the blob storage.
In looking into this I found a number of examples of Node.js that use two specific packages for accessing blob storage using a system assigned identity. Specifically:
#azure/storage-blob - https://www.npmjs.com/package/#azure/storage-blob
#azure/identity - https://www.npmjs.com/package/#azure/identity
The identity package is the one that provides the functionality to get a token associated with a credential, that is then used by code in the storage-blob package to interact with the storage account.
If I look at the dependency tree for the bot framework I don’t see either of these packages. Instead I see:
azure-storage - https://www.npmjs.com/package/azure-storage
botbuilder-azure - https://www.npmjs.com/package/botbuilder-azure
Taking a deep dive into these two packages I don’t see any code for connecting to an azure storage account that uses a credential. The only code I can find uses access keys. Therefore my conclusion currently is that the bot framework doesn’t support accessing a storage account using a credential.
While we could explore adding code that uses these packages, such significant development work is outside the scope of our project at present.
If anyone with more knowledge than I can see that this is incorrect please let me know via a comment and I'll explore further.
For the moment we have settled on continuing to use access keys. As it is not any less secure than the way the bot accesses other services. Such as the cognitive services like QnA Maker.

GitHub Collaborators and Write Privileges

Let's pretend that we have a GitHub organization with 2 members in which one is the admin and the other a machine user. The machine user is added as a collaborator to each new repository that is created in the organization. In order to allow the machine user to push to the repositories we can use an acces token with just that scope. Now we have a problem, in fact the machine user could potentially push anything to any repository since the access token grants account-wide access. There are at least 3 potential ways that might be used to solve this problem:
Create a new deploy key for each repository and use it to restrict write access only to whom has the key;
Use pre-receive hooks to reject commits that are not compliant with some check;
Create a machine user for each new repository and add it just to that precise repository as a collaborator with its push only access token.
These solutions all have drawbacks:
Deploy keys are more unconvenient to create than access tokens because I need to create them myself instead of issuing a request to GitHub. Moreover I don't know how can I use them with JavaScript to be able to push to GitHub without the terminal and without installing Git on the local machine. There are many tutorials (example 1, example 2) about using deploy keys with the terminal and also about utilizing passwords and access tokens to authenticate JavaScript libraries to upload to GitHub, but what if you want to be able to push without the terminal and by only granting access to a single specific repository?
Pre-receive hooks are an enterprise-only feature;
Creating a bunch of machine users is not very efficent.
Are there other ways to solve this problem? Are there other ways to reject commits besides pre-receive hooks? Can you help me figure out how to use JavaScript to push commits to GitHub by using deploy keys (what about this)? Is there a way to discover which access token was used to push using a webhook?

Google drive - drive.file scope is restricting my access to a shared file

In my application, I am using 'drive.file' scope for Google Drive access from the user. I share few files in google drive amongst the users that are created by my application. Now, once a file is shared with a user, the file is not accessible to that user because of "drive.file" scope saying '404 file not found' error. But when I replace the scope with full Drive access, the file is accessible. So is their a way I can use the restrictive scope as well as retrieve/access the shared files amongst the users of my application?
Opening a file shared to user may need auth/drive full authorization, as stated in the related SO post, Access to all files on a user's Google Drive
, and Google Drive api scope and file access (drive vs drive.files)
, "to be precise the Drive API gives access to Files created by the app and files that the user has opened with the app from the Drive UI (through open-with)." You can try using https://www.googleapis.com/auth/drive.readonly if you just need to view file metadata and file content. Hope this helps.
When I last asked about it, there was not. You can see some discussion here:
https://plus.google.com/u/0/+JoeGibbsPolitz/posts/7xLaiAMUP8q?cfem=1
The conclusion of that thread, which I find pretty weird, is that adding the drive.file scope can actually reduce the authority of a request to the GDrive API.

Get connections Linkedin not working [duplicate]

Anyone is having problems retrieving Likendin connections with new apps?
With old apps my hybridauth app is retrieving connections just fine. While with new apps (I created 3 different apps) I keep getting Access to connections denied
When authenticating I got the correct scopes on likedin login screen(r_basic_profile, r_network, w_messages, r_emailaddresses)
Im using free plugin http://wordpress.org/plugins/wp-social-invitations/ which uses hybridauth
This is a recent problem with the linked. They have stopped providing member connection in their recent API change. Now you have to obtain a partner certificate in order to access member connection information. Even my production application has stopped this functionality to work. We might be removing linked from our application as it is of no use now with so much of restrictions.
Linkedin api changed recently, that's the reason scopes are not longer working
The get connections API in linked in has been deprecated follow this link to get the API' that are allowed as part of developers program right now.

Categories

Resources