"ERROR: 403: Not Authorized to access this resource/api - forbidden" out of nowhere
1,725 views
Skip to first unread message
Paul Martin
Mar 17, 2017, 1:22:47 PM3/17/17
to GAM for G Suite
So this morning, I run the command: "gam info user [username]" and it returns fine. Someone asks me for a detail I forgot to provide, so I run it about 60 seconds later and I get "ERROR: 403: Not Authorized to access this resource/api - forbidden". Turns out if I use "gam info user us...@domain.tld" then it works fine, but not if I do "gam info user username". It's never done this before. So, following some info I saw on another thread, I ran "gam oauth info" and got the following:
OAuth File: [REDACTED BUT CORRECT]
Client ID: [REDACTED BUT CORRECT]
Secret: [REDACTED BUT CORRECT]
Scopes (29):
G Suite Admin: Unknown
It's the last line that has me concerned. Why is it unknown? I tried running "gam user [myaccount]@[domain.tld] check serviceaccount"and got:
User: [myaccount]@[domain.tld]
Scope: https://mail.google.com/ PASS
Scope: https://www.googleapis.com/auth/activity PASS
Scope: https://www.googleapis.com/auth/calendar PASS
Scope: https://www.googleapis.com/auth/drive PASS
Scope: https://www.googleapis.com/auth/plus.me PASS
All scopes passed!
Service account [REDACTED] is fully authorized.
But if I don't add the domain when running that same command - gam user [myaccount] check serviceaccount - I get:
User: [myaccount]@unknown
Scope: https://mail.google.com/ FAIL
Scope: https://www.googleapis.com/auth/activity FAIL
Scope: https://www.googleapis.com/auth/calendar FAIL
Scope: https://www.googleapis.com/auth/drive FAIL
Scope: https://www.googleapis.com/auth/plus.me FAIL
So I revoked the oauth token and set everything up from scratch. Same deal.
Any ideas why it's requiring me to use the domain in my queries all of the sudden now?
Ross Scroggs
Mar 17, 2017, 2:36:37 PM3/17/17
to google-ap...@googlegroups.com
Paul,
Google broke something.
set the environment variable GA_DOMAIN=domain.com (substitute with your domain)
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d4edff76-ce10-4a82-a408-f11a7e89fd03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Paul Martin
Mar 17, 2017, 2:40:23 PM3/17/17
to GAM for G Suite
Oof, lovely. Thanks for the heads up. Setting the GA_DOMAIN worked like a champ.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
mikie swier
Mar 19, 2017, 9:56:17 AM3/19/17
to GAM for G Suite
thanks. on linux had to export the var: export GA_DOMAIN=domain.com.
Any word on what changed and when it will be fixed?
thanks again
Jay Lee
Mar 19, 2017, 1:40:17 PM3/19/17
to google-ap...@googlegroups.com
tl;dr: my fault, fixed in next release.
Longer story. GAM has historically requested a special "email" OAuth scope. This scope allows GAM to ask Google's servers which Google email account the admin used to authorize GAM. These parameters were returned in Google server responses as part of an ID Token's email and hd (hosted domain) parameters.
Fast forward to earlier this year, GAM uses a LOT of OAuth scopes. Google Classroom alone has 5 scopes, the Admin SDK APIs have one scope per each of users, groups, domains, orgunits, user schemas, etc, etc. All this means GAM has started bumping up again Google's limit of 30 total scopes. So Ross and I have been looking for ways to reduce the number of scopes GAM uses so there's plenty of room for new scopes as Google releases new APIs.
Around this time, I replaced the old "email" scope with the "profile" scope. I'd found that the profile scope still allowed retrieval of the authenticated admin's email address (even though that wasn't documented). And while the email scope mapped to two real scopes and used two of the thirty scopes, profile only mapped to one so it was a saving of one scope.
So it looks like Friday, this was changed so that the profile scope could no longer get the authenticated user's email address (as I said before, the fact that it ever worked was undocumented so not the best decision on my part to switch).
So the next GAM release after 4.12 will go back to the email scope. I've managed to reduce GAM scopes somewhat in other ways by switching GAM to always use service account authentication for things like sending email, saving a report to Google Drive and modifying Google Calendar ACLs so we should still have room for the next APIs.
For now use Ross's GAM_DOMAIN environment variable workaround but this should be resolved in the next release.
Jay
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d4edff76-ce10-4a82-a408-f11a7e89fd03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/72ab2203-67bc-4073-a1f5-7aff14505231%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages