I am trying to write to Cloud Storage with the REST API using this code:
public static void insertData() {
try {
StorageObject st = new StorageObject();
//create the media object
Media m = new Media();
String content = "hi! this is a test";
m.setData(Base64.encodeBase64String(content.getBytes()));
m.setContentType("text/html");
st.setMedia(m);
//this gets me the credential, works for other APIs but not cloud storage
Storage storage = RequestBuilder.buildStorage();
//Create the insert and execute
Insert insert = storage.objects().insert("mybucket", st);
insert.execute();
} catch (IOException e) {
log.severe(e.getMessage());
}
}
This is my ACL entry as per the REST API:
"kind": "storage#bucketAccessControls",
"items": [
{
"kind": "storage#bucketAccessControl",
"id": "gammeprediction/allUsers",
"selfLink": "https://www.googleapis.com/storage/v1beta1/b/gammeprediction/acl/allUsers",
"bucket": "mybucket",
"entity": "allUsers",
"role": "OWNER"
}]
This is how I get the credential:
private static Credential authorize() {
GoogleCredential credential = null;
//load properties
Properties appProperties = new Properties();
appProperties.load(RequestBuilder.class
.getResourceAsStream("/app.properties"));
// creates an authorization with the key and service account given
InputStream is = RequestBuilder.class.getResourceAsStream("/"
+ appProperties.getProperty("app.keyFileName"));
PrivateKey pk;
try {
pk = PrivateKeys.loadFromKeyStore(KeyStore.getInstance("PKCS12"),
is, "notasecret", "privatekey", "notasecret");
credential = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(
appProperties
.getProperty("app.serviceAccount"))
.setServiceAccountPrivateKey(pk)
.setServiceAccountScopes(PredictionScopes.PREDICTION,
DriveScopes.DRIVE, StorageScopes.DEVSTORAGE_FULL_CONTROL).build();
return credential;
}
The permissions on the bucket are OWNER for allUsers, but I still get a 403 Forbidden "Access not configured" error. What could possibly be wrong?
Once the JSON API is generally available, this logic will work.
However, at the moment, the JSON API is in Limited Preview. Since an unknown user is not considered to be a member of the limited preview, completely anonymous queries via the REST API are currently not possible. Instead, you must provide at a bare minimum a whitelisted API key when you connect. If you provide no further identity information, you'll be treated as an anonymous user. Or, going further, you can use OAuth2 credentials instead to be treated as a registered user. For more, see: https://developers.google.com/storage/docs/json_api/
Is that a GWT RequestBuilder? I'm not entirely familiar with its use, unfortunately. If it helps, here's an example of setting up a connection with an API key using the Google API Java Client: https://code.google.com/p/google-api-java-client/wiki/OAuth2#Unauthenticated_access
Also, it looks like your call to setData() is passing a non-base64'd string, which will fail.
Related
I can create a ProjectApiRoot using the Java SDK and perform requests with that using the following code:
private static ProjectApiRoot createProjectClient() {
ProjectApiRoot apiRoot = ApiRootBuilder.of()
.defaultClient(ClientCredentials.of()
.withClientId(System.getenv("CTP_CLIENT_ID"))
.withClientSecret(System.getenv("CTP_CLIENT_SECRET"))
.build(),
ServiceRegion.GCP_EUROPE_WEST1)
.build(System.getenv("CTP_PROJECT_KEY"))
return apiRoot
}
However, I would like to authorize as a specific customer (email and password) and interact with the Commercetools API using the customer. The following code throws an error:
private static ProjectApiRoot createCustomerClient() {
def tokenUri = "https://auth.europe-west1.gcp.commercetools.com/oauth/*CTP_PROJECT_KEY*/customers/token"
def projectKey = System.getenv("CTP_PROJECT_KEY")
def scopes = System.getenv("CTP_SCOPES")
def credentials = ClientCredentials.of()
.withClientId("*email*")
.withClientSecret("*password*")
.withScopes(scopes)
.build()
def apiRootBuilder = ApiRootBuilder.of()
.withApiBaseUrl("https://api.europe-west1.gcp.commercetools.com")
.withClientCredentialsFlow(credentials, tokenUri)
return apiRootBuilder.build(projectKey)
}
Error:
io.vrap.rmf.base.client.oauth2.AuthException: detailMessage: Unauthorized
"message" : "Please provide valid client credentials using HTTP Basic Authentication.",
By using the withGlobalCustomerPasswordFlow instead of the withClientCredentialsFlow which authenticates the customer prior to doing the request.
But I would advise to do this only in a context where the customer is logging in everytime. Using it in any other context e.g. remembered log in of needs a more sophisticated approach as you need to store the bearer token and refresh token and can't easily use the middleware approach for authenticating the customer but instead do it not as part of an auth flow middleware.
Please see also https://github.com/commercetools/commercetools-sdk-java-v2/tree/main/commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/me
I am using Microsoft Identity's OAuth 2.0 support to send email using Microsoft Graph.
Created a personal email account as XXXX#outlook.com. Using this account I login to Azure AD and create a tenant there. Used ClientCredentialProvider (From msgraph-sdk-auth-java) as authorizer trying to send an email to myself.
Steps:
Created a Tenant account.
Created an application and given permission in Graph>Application->Send.email etc
Created a Secret key
Below is the error I am getting:
POST microsoft.graph.sendMail
SdkVersion : graph-java/v1.5.0 Authorization : Bearer
_xv1yPye...
{
"message": {
"subject": "Test",
"body": {
"contentType": "text",
"content": "The new cafeteria is open bujji."
},
"toRecipients": [
{
"emailAddress": {
"address": "xxxxx#outlook.com"
}
}
]
},
"saveToSentItems": true
}401: UnauthorizedStrict-Transport-Security: max-age=31536000Cache-Control: privatex-ms-ags-diagnostic: {
"ServerInfo": {
"DataCenter": "South India",
"Slice": "SliceC",
"Ring": "3",
"ScaleUnit": "001",
"RoleInstance": "AGSFE_IN_1"
}
}client-request-id: 01565263-11b4-45f7-b089-06f57fdd8241request-id: 2e0cac3b-dc32-4dab-bb30-769590fc156eContent-Length: 361Date: Tue,
16Jun202007: 14: 42GMTContent-Type: application/json{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid \u002706841624-5828-4382-b0a0-XXXXXX87b08f\u0027 does not exist.",
"innerError": {
"requestId": "01565263-11b4-45f7-b089-06f57fdd8241",
"date": "2020-06-16T07:14:43",
"request-id": "2e0cac3b-dc32-4dab-bb30-769590fc156e"
}
}
}
private static void sendEmail() {
ClientCredentialProvider authProvider = new ClientCredentialProvider(
"fb7f0ecc-b498-XXXX-XXXX-b016f252ea7d",
Arrays.asList("https://graph.microsoft.com/.default"),
"8-rpF8sOwV.CWF~7gK.XXXXXXXX.SSScxj0",
"06841624-5828-4382-b0a0-XXXXXXe87b08f",
NationalCloud.Global);
IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();
Message message = new Message();
message.subject = "Test";
Ite * mBody body = new ItemBody();
body.contentType = BodyType.TEXT;
body.content = "The new cafeteria is open.";
message.body = body;
LinkedList < Recipient > toRecipientsList = new LinkedList < Recipient > ();
Recipient toRecipients = new Recipient();
EmailAddress emailAddress = new EmailAddress();
emailAddress.address = "xxxxx#outlook.com";
toRecipients.emailAddress = emailAddress;
toRecipientsList.add(toRecipients);
message.toRecipients = toRecipientsList;
graphClient.me()
.sendMail(message, true)
.buildRequest()
.post();
}
I guess you want to use Microsoft Graph API to send email from your personal account email XXXX#outlook.com.
But when you use this account to login to Azure AD and create a tenant, and use ClientCredentialProvider in your code, the account will be treated as a work account (not personal account) of your tenant.
So when a work account wants to send an email, it will requires an Exchange online license of O365 subscription. You don't have O365 subscription with Exchange online license. That is why you get this error: The tenant for tenant guid \u002706841624-5828-4382-b0a0-XXXXXX87b08f\u0027 does not exist.
If you want to send email from your personal account, it's unnecessary to create an AAD tenant. And you should use Authorization code provider rather than Client credentials provider. Another thing is that personal account requires Delegated permission rather than Application permission based on Send mail permissions. Create an application and give permission in Graph > Delegated > Mail.Send.
Please note it may require the scopes as https://graph.microsoft.com/mail.send instead of https://graph.microsoft.com/.default.
Thanks, Allen for your help. I am able to send and receive emails from my outlook account. Using Authorization code provider
1. Login to Azure AD create an Application in "Application from Personl account".
2. Give permission Graph > Delegated > Mail.Send.
3. Provided Redirect URL as http://localhost:8080/muapp".Note Down all appId,Create a secret Key.
4.Now hit the below URL with the details
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=40fcd457-1807-49e3-8bce-XXXXXX40ca194&response_type=code&redirect_uri=https://localhost/myapp/&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.send%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&state=12345
5. Acquire the code.This code we need to pass in Authorization code provider.
6.Scope "https://graph.microsoft.com/mail.send"
7. Authority "https://login.microsoftonline.com/consumers"
I have one question every time send an email I have to Acquire the code. Is there any Way this will have expiry date etc.???
I would like to list available IP VM's in the new Azure portal using Java SDK.
Couple of years back in the good old classic portal, I had followed the usual management certificate procedure to access vm's,create vm's and work with Azure Endpoints.
Fast fwd now I see that they have used a new portal and new mechanisms to interact with Java SDK. I read somewhere in the above link that with the old way with certificates, I can manage only the class portal resources.
I'm trying to code a simple program which authenticates and lists the vm's of the new portal as a start. Seems like they have complicated it a lot.
I followed the below link to "Create service principal with password"
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/
Then I went to this link
https://azure.microsoft.com/en-us/documentation/samples/resources-java-manage-resource-group/
which asked me go the "See how to create an Auth file" link in above page
(mine is not a webapp and when I try to create the AD as a native client application, it is not allowing me to save keys in configure tab, so I had to create a web app)
After doing all this, I got stuck with this below error
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
'authority' Uri should have at least one segment in the path (i.e.https://<host>/<path>/...)
java.lang.IllegalArgumentException: 'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...)
at com.microsoft.aad.adal4j.AuthenticationAuthority.detectAuthorityType(AuthenticationAuthority.java:190)
at com.microsoft.aad.adal4j.AuthenticationAuthority.<init>(AuthenticationAuthority.java:73)
When I checked it says that the error is because I don't have a valid client application id in your Azure Active Directory.
Is there any simple way to authenticate and start using the API's?
#Vikram, I suggest that you can try to refer to the article to create an application on AAD.
Then you can follow the code below to get the access token for authentication.
// The parameters include clientId, clientSecret, tenantId, subscriptionId and resourceGroupName.
private static final String clientId = "<client-id>";
private static final String clientSecret = "<key>";
private static final String tenantId = "<tenant-id>";
private static final String subscriptionId = "<subscription-id>";
// The function for getting the access token via Class AuthenticationResult
private static AuthenticationResult getAccessTokenFromServicePrincipalCredentials()
throws ServiceUnavailableException, MalformedURLException, ExecutionException, InterruptedException {
AuthenticationContext context;
AuthenticationResult result = null;
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(1);
// TODO: add your tenant id
context = new AuthenticationContext("https://login.microsoftonline.com/" + tenantId, false, service);
// TODO: add your client id and client secret
ClientCredential cred = new ClientCredential(clientId, clientSecret);
Future<AuthenticationResult> future = context.acquireToken("https://management.azure.com/", cred, null);
result = future.get();
} finally {
service.shutdown();
}
if (result == null) {
throw new ServiceUnavailableException("authentication result was null");
}
return result;
}
String accessToken = getAccessTokenFromServicePrincipalCredentials().getAccessToken();
If you want to list the VMs on new portal, you can try to use the REST API List the resources in a subscription to get all resources and filter the VMs via the resource type Microsoft.Compute/virtualMachines.
Hope it helps.
I have an application on Google App Engine (hosted on appspot.com) which is going to be used by a few users to grab some stuff off the internet, save it in the Datastore and then write it to a Google Spreadsheet. I'm looking to use a Service Account to access the spreadsheet but I run into a 400 OK { "error" : "invalid_grant" } problem when I try to do anything, regardless of whether I try to create a file using the Drive API or access an existing file using Spreadsheets API.
I've turned on both Drive API and Drive SDK in the APIs Console and generated a P12 key. This is my method for building a GoogleCredential:
private GoogleCredential getGoogleCredential() throws IOException, GeneralSecurityException {
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(TRANSPORT)
.setJsonFactory(FACTORY)
.setServiceAccountId("1511XXX90247.apps.googleusercontent.com")
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKeyFromP12File(
new File("05a605b0fXXXd2a6be864be15d81a2bd629d3bd6-privatekey.p12"))
.setServiceAccountUser("XXX#gmail.com") // My personal e-mail address which I used to create the project
.build();
return credential;
}
The ServiceAccountID comes from the APIs Console. I've tried using 1511XXX90247#developer.gserviceaccount.com as my ServiceAccountUser as well as myappname#appspot.gserviceaccount.com. The scopes I'm using are as follows:
https://spreadsheets.google.com/feeds
https://docs.google.com/feeds
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.file
Here is the code that fails when I try to use Spreadsheets API:
SpreadsheetService service = new SpreadsheetService("name of my app");
service.setOAuth2Credentials(getGoogleCredential());
FeedURLFactory factory = FeedURLFactory.getDefault();
SpreadsheetQuery query = new SpreadsheetQuery(factory.getSpreadsheetsFeedUrl());
query.setTitleQuery("test");
SpreadsheetFeed feed = service.query(query, SpreadsheetFeed.class);
The code fails when the service tries execute the query.
Here's the Drive code I tried that also fails:
Drive drive = new Drive.Builder(TRANSPORT, FACTORY,
getGoogleCredential()).build();
com.google.api.services.drive.model.File file = new com.google.api.services.drive.model.File();
file.setTitle("test");
file.setMimeType("application/vnd.google-apps.spreadsheet");
drive.files().insert(file).execute(); // This is where the code fails
No matter what I try, I always seem to end up with the same ìnvalid grant` error. Here's a partial stacktrace:
com.google.gdata.util.AuthenticationException: Failed to refresh access token: 400 OK { "error" : "invalid_grant" }
at com.google.gdata.client.GoogleAuthTokenFactory$OAuth2Token.refreshToken(GoogleAuthTokenFactory.java:260)
at com.google.gdata.client.GoogleAuthTokenFactory.handleSessionExpiredException(GoogleAuthTokenFactory.java:702)
at com.google.gdata.client.GoogleService.handleSessionExpiredException(GoogleService.java:738) at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:680)
at com.google.gdata.client.Service.query(Service.java:1237)
at com.google.gdata.client.Service.query(Service.java:1178)
at spam.gwt.scraper.server.spreadsheets.APIConnector.doGet(APIConnector.java:66)
I've tried to look for answers everywhere, including but not limited to the Google Developers Spreadsheets Guide, this Service Account-related Stack Overflow question and this Google App Engine-specific Stack Overflow question. What with the developments (eg. Docs -> Drive) it's hard to find up-to-date info, never mind info that pertains specifically to GAE.
I use the builtin Service Account of the App Engine application rather than creating my own; this way the private key is save (not stored locally, only on app engine).
For Drive:
protected Drive createDriveService() throws BookingSheetException {
HttpTransport httpTransport = new NetHttpTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleClientRequestInitializer keyInitializer =
new CommonGoogleClientRequestInitializer(API_KEY);
AppIdentityCredential credential =
new AppIdentityCredential.Builder(Arrays.asList(DriveScopes.DRIVE)).build();
Drive service = new Drive.Builder(httpTransport, jsonFactory, null)
.setHttpRequestInitializer(credential)
.setGoogleClientRequestInitializer(keyInitializer)
.setApplicationName(appname).build();
return service;
}
For Spreadsheet:
private Credential creds;
/**
* Keep the expiration time of the access token to renew it before expiry
*/
private Calendar expirationTime = Calendar.getInstance();
protected void initCredentials() {
List<String> scopes = Arrays.asList("https://spreadsheets.google.com/feeds");
AppIdentityService appIdentity = AppIdentityServiceFactory.getAppIdentityService();
AppIdentityService.GetAccessTokenResult accessToken = appIdentity.getAccessToken(scopes);
expirationTime.setTime(accessToken.getExpirationTime());
expirationTime.add(Calendar.MINUTE,-REFRESH_MINUTES); //refresh some time before expiry
creds = new Credential(BearerToken.authorizationHeaderAccessMethod());
creds.setAccessToken(accessToken.getAccessToken());
}
public SpreadsheetUtil(String appname) {
myService = new SpreadsheetService(appname);
myService.setOAuth2Credentials(cred);
}
Make sure to creds.refreshToken() or reinitialize when they expire.
I'm trying to retrive Calendar events for a user in a domain. I have service account access, but i get 404 error when I try to get specific user events.
Heres connection code:
NetHttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(googleApiServiceAccountId)
.setServiceAccountScopes(Collections.singleton(CalendarScopes.CALENDAR_READONLY))
.setServiceAccountPrivateKey(SecurityUtils.loadPrivateKeyFromKeyStore(
SecurityUtils.getPkcs12KeyStore(),
getClass().getClassLoader().getResourceAsStream(googleApiPrivateKeyPath),
NOTASECRET, PRIVATEKEY, NOTASECRET))
.build();
calendarApi = new Calendar.Builder(httpTransport,
JSON_FACTORY, credential).setApplicationName(getApplicactionName()).build();
Events listing method:
public List<Event> getCalendarEventsForUserAndDates(String userEmail, Long dateFrom, Long dateTo) {
try {
String pageToken = null;
List<Event> allEvents = Lists.newArrayList();
do {
ArrayMap<String, Object> parameters = new ArrayMap<String, Object>();
parameters.add("xoauth_requestor_id", userEmail);
Calendar.Events.List list = calendarApiBean.getCalendarApi()
.events().list("primary");
list.setTimeMax(new DateTime(dateFrom, 0))
.setTimeMin(new DateTime(dateTo, 0))
.setUnknownKeys(parameters);
Events events = list.setPageToken(pageToken)
.execute();
List<? extends Event> items = events.getItems();
if (items != null) {
allEvents.addAll(items);
}
pageToken = events.getNextPageToken();
} while (pageToken != null);
return allEvents;
} catch (IOException e) {
logger.error("error while retriving calendar events for {} and dates {} {} ", userEmail, dateFrom, dateTo);
logger.error("exception", e);
return Collections.emptyList();
}
}
When i try to set xoauth_requestor_id to user's email and list 'primary', i get Calendar events for my Service Accounts. When I change events().list() parameter to user's email I get an following Error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 404 Not Found
{
"code" : 404,
"errors" : [ {
"domain" : "global",
"message" : "Not Found",
"reason" : "notFound"
} ],
"message" : "Not Found"
}
Thanks for any help.
To solved this problem I had to add this service account to authorized API clients on Domain Administration.
Client name is Service Account Client ID and scope was for Readonly Calendar
This consists of two different parts
Creating a service account
Giving it permissions to access the scopes you need
Create the service account:
Go to the cloud page to administer your Service Accounts:
Menu on the left side -> IAM & admin -> Service accounts. Or click on this link: https://console.cloud.google.com/iam-admin/serviceaccounts
Make sure you are logged in as the user you want to use, and check that the organization is correctly selected
Create a new service account with Project Viewer role (you can change this later), and download the .json file with the credentials when you click to create a key.
Edit the service account and enable G Suite Domain-wide Delegation
Take note of the Client ID. (NOT the Key ID)
Give it permissions:
Go to admin.google.com
Make sure you are logged in as the user with admin rights.
Then go to Security -> Settings -> Advanced settings -> Manage API client access
In client name fill in the Client ID you copied above (NOT the Key id)
Fill in the scopes you need and authorize the service account. ie:
https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/gmail.readonly
I tested the Python samples I link in the sources, and can confirm this works as expected.
Sources:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
https://support.google.com/a/answer/162106?hl=en