notACalendarUser error using Service Account in V3
1,962 views
Skip to first unread message
char mata
Apr 9, 2012, 4:55:38 PM4/9/12
to google-ca...@googlegroups.com
Hi there,
I have set-up my project and access to Calendar API in the API Console and have successfully followed the example found at:
http://samples.google-api-java-client.googlecode.com/hg/plus-serviceaccount-cmdline-sample/instructions.html (I gave my project Google+ access as well).
However, I am now trying to use my service account to use the functionality found in this example:
http://samples.google-api-java-client.googlecode.com/hg/calendar-cmdline-sample/instructions.html
I am creating the credential the same way I was in the Google+ example, however when I try to view calendars, create calendars, etc. I receive the following erorr:
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "calendar",
"message" : "The user must be signed up for Google Calendar.",
"reason" : "notACalendarUser"
} ],
"message" : "The user must be signed up for Google Calendar."
}
I have been looking around all day trying to understand this error!
I don't believe gserviceaccount.com accounts are used the same way as Google accounts, so how am I to sign up for google calendar with this account?
Is there something i'm missing in the API console for my project?
Can someone point me in the right direction?
Thank You
p.s. My code is attached.
I have set-up my project and access to Calendar API in the API Console and have successfully followed the example found at:
http://samples.google-api-java-client.googlecode.com/hg/plus-serviceaccount-cmdline-sample/instructions.html (I gave my project Google+ access as well).
However, I am now trying to use my service account to use the functionality found in this example:
http://samples.google-api-java-client.googlecode.com/hg/calendar-cmdline-sample/instructions.html
I am creating the credential the same way I was in the Google+ example, however when I try to view calendars, create calendars, etc. I receive the following erorr:
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "calendar",
"message" : "The user must be signed up for Google Calendar.",
"reason" : "notACalendarUser"
} ],
"message" : "The user must be signed up for Google Calendar."
}
I have been looking around all day trying to understand this error!
I don't believe gserviceaccount.com accounts are used the same way as Google accounts, so how am I to sign up for google calendar with this account?
Is there something i'm missing in the API console for my project?
Can someone point me in the right direction?
Thank You
p.s. My code is attached.
Sandip Shah
Apr 25, 2012, 12:40:09 AM4/25/12
to google-ca...@googlegroups.com
I am running this in Python and am getting the same error.
Sandip
vThrive
Sandip Shah
Apr 25, 2012, 4:02:01 AM4/25/12
to google-ca...@googlegroups.com
I think I know why this does not work - the sample codes shown are for OAuth2.
OAuth2 tokens for 2LO (2 legged oauth, or two legged oauth) are not supported on Calendar API - yet. Most likely that's the reason it does not work.
However, OAuth2 tokens for 2LO are not supported on Tasks API aslo, but it works there for whatever reason.
Also, neither the Tasks API nor the Calendar API mention how to use the "xoauth_requestor_id" parameter with 2LO.
It works perfectly fine with OAuth 1.0 tokens with 2LO.
Sandip
vThrive
vThrive
Sandip Shah
Apr 25, 2012, 4:27:20 AM4/25/12
to google-ca...@googlegroups.com
Dang .... right after I post this message, I found this - https://groups.google.com/forum/?fromgroups#!topic/google-api-python-client/tQe-lMbOH5M.
Sandip
vThrive
Message has been deleted
char mata
Apr 26, 2012, 5:13:30 PM4/26/12
to google-ca...@googlegroups.com
Yes.. I've seen a few posts claiming Calendars API doesn't yet support service accounts but I can't be sure what to believe.
I've been following a few other threads such as:
https://groups.google.com/forum/embed/?place=forum/google-calendar-api#!topic/google-calendar-api/pdNI7s1FSC4
From that it seems it is possible to do 2-Legged Authorization with OAUTH 2.0 however it's not clear how to authenticate as a service account.
All these examples call for authentication through consumer key, consumer secret, etc. (as in this example:
http://googleappsdeveloper.blogspot.ca/2011/12/calendar-api-v3-2-legged-oauth-java.html)
However, to get those things you must set-up a google apps account for your domain and then allow access to the desired APIs (http://support.google.com/a/bin/answer.py?hl=en&answer=162106) and i believe this is to establish your website as an 'organization' because service accounts are only supposed to be able to manage users that belong to your 'organization'.
Though, even if you get this to work through those examples, you aren't using the private key or service account client ID that you created in the API Console (so what was the point of that?)
And in my case, where I need to run my code from is on another domain.. and it won't let me add said domain to the list of allowed API Clients (unless I set up another Google Apps account for this domain?)
From what I have gathered, I do need to setup a Google Apps account for this other domain (where my code is to be running from) just so that it is established as a 'vendor' thus making the domain name the new 'consumer key' which is then added to the Allowed API Clients list.
My question then is, since I would have two Google Apps accounts, what account do I use to create an API Key and service account, and what google app account/organization does this need to belong to?
Am I creating a whole new google app account, and new user under this new organization and service account/api key just so that I can go through this account to get at the users of of the main google apps account/domain?
I am in the process of trying all of these things, if anyone has any insight, please share!
I've been following a few other threads such as:
https://groups.google.com/forum/embed/?place=forum/google-calendar-api#!topic/google-calendar-api/pdNI7s1FSC4
From that it seems it is possible to do 2-Legged Authorization with OAUTH 2.0 however it's not clear how to authenticate as a service account.
All these examples call for authentication through consumer key, consumer secret, etc. (as in this example:
http://googleappsdeveloper.blogspot.ca/2011/12/calendar-api-v3-2-legged-oauth-java.html)
However, to get those things you must set-up a google apps account for your domain and then allow access to the desired APIs (http://support.google.com/a/bin/answer.py?hl=en&answer=162106) and i believe this is to establish your website as an 'organization' because service accounts are only supposed to be able to manage users that belong to your 'organization'.
Though, even if you get this to work through those examples, you aren't using the private key or service account client ID that you created in the API Console (so what was the point of that?)
And in my case, where I need to run my code from is on another domain.. and it won't let me add said domain to the list of allowed API Clients (unless I set up another Google Apps account for this domain?)
From what I have gathered, I do need to setup a Google Apps account for this other domain (where my code is to be running from) just so that it is established as a 'vendor' thus making the domain name the new 'consumer key' which is then added to the Allowed API Clients list.
My question then is, since I would have two Google Apps accounts, what account do I use to create an API Key and service account, and what google app account/organization does this need to belong to?
Am I creating a whole new google app account, and new user under this new organization and service account/api key just so that I can go through this account to get at the users of of the main google apps account/domain?
I am in the process of trying all of these things, if anyone has any insight, please share!
Sandip Shah
Apr 26, 2012, 5:27:06 PM4/26/12
to google-ca...@googlegroups.com
Hi Char Mata,
Sandip
vThrive
OAuth 2.0 with Service Accounts works - it just does not work for the Calendar API (as of last night) - check my other post where I have reported this.
Installed Applications are that - applications that are installed on a desktop client where a user needs access to his own data.
Service Accounts - are replacements of 2LO.
Web Server applications - this is most likely what you are looking for - since someone can setup a web app which can work for multiple domains/organizations.
Sandip
vThrive
char mata
Apr 27, 2012, 3:17:12 PM4/27/12
to google-ca...@googlegroups.com
Hey Sandip,
Service accounts would be ideal, however I cannot find any official information from Google to say explicitly that service accounts are supported or not supported.
It's just a number of people on forums concluding it's not supported yet because things aren't working the way they
I did however, get 2LO working the way I expected and for now it will have to do.
Service accounts would be ideal, however I cannot find any official information from Google to say explicitly that service accounts are supported or not supported.
It's just a number of people on forums concluding it's not supported yet because things aren't working the way they
I did however, get 2LO working the way I expected and for now it will have to do.
alain....@yahoo.fr
Apr 27, 2012, 4:23:10 PM4/27/12
to google-ca...@googlegroups.com
Hi Char Mata,
i'm confused about your comment,
i'm trying to use service account on Calendar with api v3 OAuth2 authentication, presenting a .p12 file by php ''setAssertionCredentials' and then call to
$cal = new apiCalendarService($client);
$calList = $cal->calendarList->listCalendarList();
and an exception occurs from this code (Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }')
Previously, i've had "The user must be signed up for Google Calendar", problem reported here : https://groups.google.com/forum/?fromgroups#!topic/google-calendar-api/a0Lxe_z_ues
Have you succeded in such an enterprise ?
A.Thomas
i'm confused about your comment,
i'm trying to use service account on Calendar with api v3 OAuth2 authentication, presenting a .p12 file by php ''setAssertionCredentials' and then call to
$cal = new apiCalendarService($client);
$calList = $cal->calendarList->listCalendarList();
and an exception occurs from this code (Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }')
Previously, i've had "The user must be signed up for Google Calendar", problem reported here : https://groups.google.com/forum/?fromgroups#!topic/google-calendar-api/a0Lxe_z_ues
Have you succeded in such an enterprise ?
A.Thomas
char mata
Apr 27, 2012, 4:42:17 PM4/27/12
to google-ca...@googlegroups.com
Hey A.Thomas,
I have only gotten 2-legged authorization to work following this example: http://googleappsdeveloper.blogspot.ca/2011/12/calendar-api-v3-2-legged-oauth-java.html
This example is not using 'Service Accounts' with OAUTH 2.0, rather it is using OAuth 1.0 to implement 2LO.
(That article is dated Dec. 2011 while service accounts were announced in March http://googledevelopers.blogspot.ca/2012/03/service-accounts-have-arrived.html)
All I was trying to say in my previous post is that there's a number of posts with problems related to service accounts but no one has seemed to find a solution, instead it seems people are concluding that Calendar API does not yet support authorization through service accounts.
I have both gotten invalid_grant, not a calendar user, 401 Unauthorized Access, etc. It all depends on how I was trying to set-up the credential object and/or what API call I made afterwards. So for now i'm settling for OAuth 1.0 2LO.
To look into how to do this with PHP you should try these links:
http://gdatatips.blogspot.ca/2008/11/2-legged-oauth-in-php.html
https://groups.google.com/forum/embed/?place=forum/google-calendar-api#!topic/google-calendar-api/vGMKDKh8Pqo
I have only gotten 2-legged authorization to work following this example: http://googleappsdeveloper.blogspot.ca/2011/12/calendar-api-v3-2-legged-oauth-java.html
This example is not using 'Service Accounts' with OAUTH 2.0, rather it is using OAuth 1.0 to implement 2LO.
(That article is dated Dec. 2011 while service accounts were announced in March http://googledevelopers.blogspot.ca/2012/03/service-accounts-have-arrived.html)
All I was trying to say in my previous post is that there's a number of posts with problems related to service accounts but no one has seemed to find a solution, instead it seems people are concluding that Calendar API does not yet support authorization through service accounts.
I have both gotten invalid_grant, not a calendar user, 401 Unauthorized Access, etc. It all depends on how I was trying to set-up the credential object and/or what API call I made afterwards. So for now i'm settling for OAuth 1.0 2LO.
To look into how to do this with PHP you should try these links:
http://gdatatips.blogspot.ca/2008/11/2-legged-oauth-in-php.html
https://groups.google.com/forum/embed/?place=forum/google-calendar-api#!topic/google-calendar-api/vGMKDKh8Pqo
Reply all
Reply to author
Forward
0 new messages