Service Account Credential Authentication getting error -> Error:"invalid_grant", Description:"", Uri:""
897 views
Skip to first unread message
Robert
Nov 19, 2014, 3:57:33 PM11/19/14
to google-ca...@googlegroups.com
I am updating a web service application that calls Google's calendar API's to list calendar events for a particular calendar and insert new calendar events. I am trying to upgrade it to version 3 of the api's. For authentication I am using a Service Account Credential that I created in the Google Developers Console (https://console.developers.google.com). I am able to create the CalendarService using the following code :
using System;
using Google.Apis.Auth.OAuth2;
using System.Security.Cryptography.X509Certificates;
using Google.Apis.Services;
using Google.Apis.Calendar.v3;
using Google.Apis.Calendar.v3.Data;
...
string SERVICE_ACCOUNT_EMAIL =
"....googleusercontent.com";
string SERVICE_ACCOUNT_PKCS12_FILE_PATH = @"C:\temp\API Project-123456789.p12";
// Create the service.
X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(SERVICE_ACCOUNT_EMAIL)
{
Scopes = new[] { CalendarService.Scope.Calendar }
, User = "some...@mycompany.com"
}.FromCertificate(certificate));
// Create the service.
var cs = new CalendarService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "Calendar API Sample",
});
But when I call the list method to query a public calendar:
Events events = service.Events.List("some...@mycompany.com").Execute();
A TokenResponseException is thrown with the following error message:
Error:"invalid_grant", Description:"", Uri:""
FYI : I have gone into the AdminHome for my company and under security Manage clients API Access and registered the SERVICE_ACCOUNT_EMAIL above to http://www.google.com/calendar/feeds/.
Any help with this would be greatly appreciated.
Tianshan
Nov 19, 2014, 4:34:04 PM11/19/14
to google-ca...@googlegroups.com
Hi Robert,
It will work if you make the following changes in your Google Admin panel:
1. Use the client ID, not the client email address you created in the developers console as the Client Name under the authorized API clients.
2. Add the https://www.google.com/calendar/feeds Calendar (Read-Write) https://www.googleapis.com/auth/calendar to the API scopes.
Then run your program again.
Xing
Events events = service.Events.List("something@mycompany.com").Execute();
Message has been deleted
Robert
Nov 19, 2014, 6:11:12 PM11/19/14
to google-ca...@googlegroups.com
Xing,
Thanks you for your help. I did what you suggested, there was progress but there still is a problem but it is different. Now the error message says:
Error:"access_denied", Description:"Requested client not authorized.", Uri:""
I am trying to access the calendar of the person I am impersonating. I actually can access a different calendar owned by the same person. The calendar is public.
Robert
Robert
Nov 19, 2014, 6:17:29 PM11/19/14
to google-ca...@googlegroups.com
I should have been more clear. The calendar I can read is public the calendar I can't read is not. That is the only difference I know.
Tianshan
Nov 19, 2014, 7:35:58 PM11/19/14
to google-ca...@googlegroups.com
Robert,
Did you use the same Google account to create the service account in the developers console and delegate it to domain-wide authorization in the admin panel?
My code is very similar to yours but I don't run the problem you had.
Xing
Robert
Nov 20, 2014, 11:28:51 AM11/20/14
to google-ca...@googlegroups.com
Xing,
Thanks again, you were a help!
Regards,
Robert
Robert
Nov 20, 2014, 2:30:17 PM11/20/14
to google-ca...@googlegroups.com
Xing,
Do you by chance know how to make a call to the same code in ASP .Net? I am getting errors dealing with the async calls. It is the same code I showed you before but now in a ASP .Net page.
Rob
Robert
Nov 21, 2014, 6:27:18 PM11/21/14
to google-ca...@googlegroups.com
Xing, Thanks again for your help. Have a great weekend.
Tom Weissert
Jul 8, 2015, 11:44:55 AM7/8/15
to google-ca...@googlegroups.com
Hi,
I am trying to do exactly what Robert was trying to do below and I am receive the same error.
Error:"invalid_grant", Description:"", Uri:""
My code is below.
I have given the client id access to my domain in my domain control panel and the calendar scopes,
and I have even tried to share calendars with the service account.
I'm pretty sure the code is correct.
Can anyone help me out?
Thanks
Tom
using System;
using System.Linq;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Calendar.v3;
using Google.Apis.Calendar.v3.Data;
using Google.Apis.Services;
using System.Configuration;
using System.Security.Cryptography.X509Certificates;
namespace Events
{
public partial class Events_NewAuth : System.Web.UI.Page
{
CalendarService service;
protected void Page_Load(object sender, EventArgs e)
{
string[] scopes = new string[] { CalendarService.Scope.Calendar, CalendarService.Scope.CalendarReadonly };
string keyFilePath = @"E:\AISnet\" + ConfigurationManager.AppSettings["keyFilePath"];
string serviceAccountEmail = "6573288...-compute@developer.gserviceaccount.com";
var certificate = new X509Certificate2(keyFilePath, "notasecret", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
User = "mfac...@agnesirwin.org",
Scopes = scopes
}.FromCertificate(certificate));
// Create the service.
CalendarService service = new CalendarService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "AISCalendar",
});
CalendarList result = service.CalendarList.List().Execute();
foreach (CalendarListEntry calendar in result.Items)
{
lblNote.Text += "<br/>" + calendar.Id + " : " + calendar.Summary;
Events events = service.Events.List("something@mycompany.com").Execute();
Reply all
Reply to author
Forward
0 new messages