I recently started getting a 'Permission Denied' response from our vimeo album. Everything was working correctly and nothing has changed on the application. Also, I checked and it appears no permissions have changed on the album or included videos in terms of permissions. However, we did change the servers we're hosting our main site on, which resulted in a change of IP addresses but the site URL did not change.
Is it possible that the IP change somehow messed up the request we make to vimeo? I looked in the admin settings on vimeo and didn't see anywhere we needed to specify IP addresses.
Basically, we're doing the following:
$vimeo = new phpVimeo(CONSUMER_KEY, CONSUMER_SECRET);
$vimeo->setToken(OAUTH_TOKEN,OAUTH_TOKEN_SECRET);
// **** GET THE VID DATA FROM VIMEO **** //
$result = $vimeo->call('vimeo.albums.getVideos', array('album_id' => xxxxxxxx,full_response => '1'));
$videos = $result->videos->video;
And, as I said, this was working great for a while. Any ideas on what may have happened? Thanks!
IP address should be irrelevant to the API.
My guess is that your account was part of the Adobe email breach (you should have received an email about this). Vimeo reset some tokens relating to the Adobe email breach to ensure account security.
If you were not part of the breach, you can contact Vimeo directly via https://vimeo.com/help/contact to learn more.
Related
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.
So I just wanted to see a website I created with Wordpress and I got this message :
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
It used to work just fine and I haven't changed a single thing. A pop-up window asks for a username/password and the one I use to access WP configuration does not work. Any idea?? I'm pretty scared I got hacked or something.
Delete the .htaccess file and save permalink again.
If you havent changed anything, probably this is a problem from the host. Send them a ticket or use live chat.
I have a huge problem where absolutely no error is returned from google nor php.
I've written a google client oauth2 connect model, which is perfectly working when I'm running it on my dev environment on my mac (I'm not using a simple localhost, it's actually vagrant what I'm using to mirror the production server as much as possible) but it doesn't work when I push it to production.
It's just simply not returning any error. The code reaches the part where I have the auth code from Google and it hangs at the part where I'm trying to exchange it for a token ( $client->authenticate($auth_code) ).
I really don't know what am I doing wrong, since everything is working perfect without errors on dev site (which has a public link by the way, and I tried accessing it from different public IP addresses).
The moment I push the code to a live server, it just stops authenticating. I have the correct oauth credentials set up for every production server, redirect uri is correct. I simply don't know what am I doing wrong...
Here's a part of code (I repeat, it perfectly works on dev server with publicly accessible url):
$this->client = new Google_Client();
$this->credentials_path . '/client_secret.json'
$this->client->setAuthConfigFile($this->credentials_path . '/client_secret.json');
$this->client->setAccessType('offline');
$this->client->setRedirectUri($this->redirect_uri);
$this->client->addScope(Google_Service_Drive::DRIVE_READONLY);
$this->client->authenticate($auth_code); //this is the part where the code hangs on a live server, but works perfectly on dev
$this->token = json_encode($this->client->getAccessToken());
$this->client->setAccessToken($this->token);
$this->writeTokenToFile($this->token);
if ($this->client->isAccessTokenExpired()) {
$this->client->refreshToken($this->token);
}
$google_drive_service = new Google_Service_Drive($this->client);
Any help would be very much appreciated!
AFAIK, you need to revoke the existing token before requesting another.
As mentioned in Offline access, when you set the API client's access type to offline, the client object will refresh the access token as needed.
With that, you need to revoke access given to an application. As mentioned,
part of the removal process can include an API request to ensure the permissions granted to the application are removed.
You may want to try revoking a token by calling revokeToken():
$client->revokeToken();
You may want to also check given solutions in the following SO posts:
Automatically refresh token using google drive api with php script.
Not receiving Google OAuth refresh token
Hope that helps!
I have a REST api written in node which uses HATEOAS. The user is required to have an account before they can access the bulk of it.
They register an account with login details, then login to obtain an access token, and then use that token in order to access any endpoints that aren't register or login.
Issuing a get to the root responds with a directory with available actions.
Q: What is the correct response from register, to tell the client what it can do next (i.e. login)?
register technically creates a new resource on the server so a 201 CREATED and a Location header would seem appopriate. However the login reference isn't the location of the newly created resource.
Should I return 201 Created with a Location pointing to the newly created user (e.g. /myaccount or /users/{id} and then include a login link in the response body?
{
_links: {
self: { href: "what goes here?" },
x:login: { href: "/login" }
}
}
Do I not tell the client at all, and require them to do a get on the application root in order to fetch a list of available endpoints. This should include login anyway. Assuming the client had to do that in the first place to get the register link it should already have login.
Expecting the client already to already have the login link feels uncomfortable as it relies on an assumption of the client's prior activity.
Requiring the client to issue another request to the root directory after registering seems mean, inefficient and unnecessary. If the client has just created a resource it seems only fair that the server should respond with what it can do with it next.
I like to have my api's act no differently than a webpage. If you want the UX of your application to be the user is taken to login after they register, then 302 them from a successful register to the login resource. And upon successful login, 302 to them to the appropriate destination (IE, if they tried to access something with no token, then take them to login, with a destination of the original requested resource). That's and important part to your #3. Having a link off the root that leads to login, but you need to protect all the other links such that they indicate (and link to) a login being required to access the resource. The client app should expect to get this login required response at any time as tokens can (and do) expire at any time.
Following on this, it might make sense to do the JWT as a cookie instead of as an Authorization Header, it would make it a bit easier for the client (they just have to setup a cookie jar)..if the client is say a native mobile app that maintains a single connection setup. If it's server to server, then auth header makes sense. I'd go about supporting both to cover both scenarios.
Continuing on the idea of thinking of the api as a web site. Why have them login after registration at all? Why not have the registering of an account end up with the login token being sent? they just set their user/pass, why make them enter it again? I realize with some more exotic architectures the register service can not perform the login action (perhaps it doesn't have the private key to sign the token), but if it is possible i'd consider it.
If you really want to stick to the 201 header (which is fine, just make sure the docs of your register relationship indicate that), then option 2 is the closest in my opinion. A location header to the URL of the account just created a 201 is pretty standard for creating a user. But, i'd not return what you've supposed there. You're kind of returning a account-created resource (the thing with the login link), but do you really need this custom resource? If you want to give some messaging back to the client (like "Account Created") in that resource then absolutely yes, but you could also just give them back the root resource.
tl;dr; Decide what you want your UX to be and then make your API implement your UX.
I created a very simple application to pull and display videos on a client site from an album. Everything was set up and humming along fine when it suddenly stopped working. After tracking down the problem, it turned out that the OAuth Token and Secret changed without warning last week.
Is this something that will happen periodically? Has anyone else experienced this?
Vimeo's OAuth tokens will only change if granted via XAuth (username and password auth). If this is how you generated the token, it means the authenticated user changed their password.
If this is not the case, user tokens are additionally revoked any time Vimeo forces a password reset. If you want to find out the exact cause you can contact vimeo directly at https://vimeo.com/help/contact