google-analytics-api

Re: 403 forbidden


Nick Apr 3, 2012 12:31 PM
Posted in group: Google Analytics Reporting API
Great.

We'll look into adding support for service accounts.

-Nick

On Sunday, April 1, 2012 10:23:08 AM UTC-7, doucol wrote:
Thank you Nick.  The information you provided in this note helped me get something working.


On Saturday, March 31, 2012 4:41:21 PM UTC-7, Nick wrote:
I see.

You're trying to use a Service Acccount to access our API. Here's a list of the following services that support this type of Auth: http://googledevelopers.blogspot.com/2012/03/service-accounts-have-arrived.html

GA isn't in it......

Generally if your server needs to access data on behalf of a user (ie you), you can use OAuth 2 for web applications: https://developers.google.com/accounts/docs/OAuth2WebServer

You would just need to go through the Auth flow once, then store and reuse the refresh token to get new access tokens.

-Nick


On Saturday, March 31, 2012 4:15:05 PM UTC-7, doucol wrote:
Hi Nick,

Ok, I used that tool and it worked.  However, here are a few observations which lead me to believe that this is different than what I'm trying to do.

1)  I was redirected to a consent page where I provided consent
2)  The Authorization header does not contain a "Bearer" token - it contains an "OAuth" token
3)  My private key file was not used in the process

I am trying to get an OAuth2 "Server to Server" setup working as described in detail here:  https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Should I be using the Simple API Access method?

thanks
-doug

On Saturday, March 31, 2012 3:37:16 PM UTC-7, Nick wrote:
Are you able to get data successfully using this tool: https://code.google.com/oauthplayground/

You should at least be able to get Management API account data via this URI end point: https://www.googleapis.com/analytics/v3/management/accounts


-Nick

On Saturday, March 31, 2012 1:04:00 PM UTC-7, doucol wrote:
Sorry for the slight bit of confusion.  But the first message I sent with the API GET request was one in which I was testing with different values for the profile id.

I just ran the whole test again:

* Successful OAuth2 token request - I get back an http status 200 with <access_token>
  -- with http header:  "Authorization:  Bearer <access_token>"
* Receive a 403 forbidden

I can look at the GA reports from the web interface for this profile and I believe I am an admin for this profile.

Also, I have run through the google php api client and I get the same response back using that.

Should I be attempting to use the "Simple API Access" key approach?  My understanding on that is that I would need to perform a "clientlogin" for that approach to work, but then I have seen some notes in these forums which state that the clientlogin / simple api access approach does not work for V3.

Can anyone provide a little guidance?

thanks
-doug

On Saturday, March 31, 2012 12:13:59 PM UTC-7, doucol wrote:
Hi Nick,

Thanks for your note.  I am looking at GA right now - at the "Visitors Overview" report.  Here is the URL:

The value which you are referencing is:  54774085
And this is also the value I see in the admin area for "Profile ID"  (54774085)

I am an admin for the GA profile - at least as far as I can tell.

This is indeed the profile ID which I am using in my API requests -- and I am still getting a 403 forbidden.

Is there anything else that I might be missing?

many thanks
-doug



On Saturday, March 31, 2012 11:39:11 AM UTC-7, Nick wrote:
403 means the authorized user doesn't have access to the account.

If you log into the GA web interface, view a report, then look at the URL, the last part of the query that has the value p is the profile ID.
You can also get this from admin interface.

The use you authorizing access for must have to this profile ID otherwise we return a 403.
-Nick


On Saturday, March 31, 2012 2:01:56 AM UTC-7, doucol wrote:
Hi folks,

I am trying to get some ruby code written which will retrieve
analytics profile data for our own sites.  I have successfully
received an access token but when I make the GET call to the analytics
API, I keep getting a 403 forbidden back.

My GET request looks like so:
"https://www.googleapis.com/analytics/v3/data/ga?ids=ga:53884572&start-
date=2012-01-01&end-date=2012-03-29&metrics=ga:visits
"

With an http auth header like this:  "Authorization:  Bearer <access
token>"

I believe I am an admin for the analytics profile and I think the
profile ID is correct.  I have done a ton of searching already and
could use a little help.

thanks much
-doug


On Saturday, March 31, 2012 3:37:16 PM UTC-7, Nick wrote:
Are you able to get data successfully using this tool: https://code.google.com/oauthplayground/

You should at least be able to get Management API account data via this URI end point: https://www.googleapis.com/analytics/v3/management/accounts


-Nick

On Saturday, March 31, 2012 1:04:00 PM UTC-7, doucol wrote:
Sorry for the slight bit of confusion.  But the first message I sent with the API GET request was one in which I was testing with different values for the profile id.

I just ran the whole test again:

* Successful OAuth2 token request - I get back an http status 200 with <access_token>
  -- with http header:  "Authorization:  Bearer <access_token>"
* Receive a 403 forbidden

I can look at the GA reports from the web interface for this profile and I believe I am an admin for this profile.

Also, I have run through the google php api client and I get the same response back using that.

Should I be attempting to use the "Simple API Access" key approach?  My understanding on that is that I would need to perform a "clientlogin" for that approach to work, but then I have seen some notes in these forums which state that the clientlogin / simple api access approach does not work for V3.

Can anyone provide a little guidance?

thanks
-doug

On Saturday, March 31, 2012 12:13:59 PM UTC-7, doucol wrote:
Hi Nick,

Thanks for your note.  I am looking at GA right now - at the "Visitors Overview" report.  Here is the URL:

The value which you are referencing is:  54774085
And this is also the value I see in the admin area for "Profile ID"  (54774085)

I am an admin for the GA profile - at least as far as I can tell.

This is indeed the profile ID which I am using in my API requests -- and I am still getting a 403 forbidden.

Is there anything else that I might be missing?

many thanks
-doug



On Saturday, March 31, 2012 11:39:11 AM UTC-7, Nick wrote:
403 means the authorized user doesn't have access to the account.

If you log into the GA web interface, view a report, then look at the URL, the last part of the query that has the value p is the profile ID.
You can also get this from admin interface.

The use you authorizing access for must have to this profile ID otherwise we return a 403.
-Nick


On Saturday, March 31, 2012 2:01:56 AM UTC-7, doucol wrote:
Hi folks,

I am trying to get some ruby code written which will retrieve
analytics profile data for our own sites.  I have successfully
received an access token but when I make the GET call to the analytics
API, I keep getting a 403 forbidden back.

My GET request looks like so:
"https://www.googleapis.com/analytics/v3/data/ga?ids=ga:53884572&start-
date=2012-01-01&end-date=2012-03-29&metrics=ga:visits
"

With an http auth header like this:  "Authorization:  Bearer <access
token>"

I believe I am an admin for the analytics profile and I think the
profile ID is correct.  I have done a ton of searching already and
could use a little help.

thanks much
-doug