Re: Invalid profileId

[dfaapiadv...@google.com]

Greetings!

I've been trying to reproduce your problem. Is it possible that the profile ID you are trying to access is not associated with the Google Account whose OAuth2 token you are using? Unlike the DFA Trafficking API, which allows you to view any user profiles that you have permissions to see, the DFA Reporting API only allows you to view profiles associated with your Google Account.

This is what I'm seeing:

1) Valid profile ID, valid OAuth2 access token => Valid response

{
 "kind": "dfareporting#userProfile",
 "etag": ...,
 "profileId": ...,
 "userName": ...,
 "accountId": ...,
 "accountName": ...,
 "subAccountId": "...,
 "subAccountName": ...,
}

2) Valid profile ID, invalid OAuth2 access token => Error code 401: Login Required

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "required",
    "message": "Login Required",
    "locationType": "header",
    "location": "Authorization",
    "debugInfo": ...,
   }
  ],
  "code": 401,
  "message": "Login Required"
 }
}

3) Invalid profile ID, valid OAuth2 access token => Error code 400: Invalid profileId

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "invalid",
    "message": "Invalid profileId.",
    "debugInfo": ...,
   }
  ],
  "code": 400,
  "message": "Invalid profileId."
 }
}

Let me know this doesn't solve your problem! I've be happy to help more.
- Joseph DiLallo, the DFA API Team

On Tuesday, September 4, 2012 9:58:32 AM UTC-4, (unknown) wrote:

Hi DFA Team,

I hope you are able to help. I'm writing an .NET application which have to run and download a report from report builder. Sounds not complicated so far but every time I'm trying to load the userProfile resource (for testing) then I get an "Invalid profileId." response.

This is the background about implementation and configuration of my application.

1. I'm not using the Google API for authorization. I'm using my own implementation as described here. The authorization seems to work because an access token will be returned and the token info (https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={GENERATED TOKEN}) says that the token is fine:

{
 "issued_to": "CLIENT ID",
 "audience": "CLIENT ID",
 "scope": "https://www.googleapis.com/auth/dfareporting",
 "expires_in": 2174,
 "access_type": "offline"
}

2. When I'm trying to get the profile info (https://www.googleapis.com/dfareporting/v1/userprofiles/{profileId}?access_token={GENERATED TOKEN}) as described here then the following response will be returned:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "invalid",
    "message": "Invalid profileId."
   }
  ],
  "code": 400,
  "message": "Invalid profileId."
 }
}

3. When I use the Try it! form then everything works as expected. When I use the access token generated by the Try it! form to get the userProfile resource as follows then everything works as expected, too.

https://www.googleapis.com/dfareporting/v1/userprofiles/816277?access_token={TOKEN FROM TRY IT FORM}

Why the access token generated by the application doesn't work?

Thanks!

[dfaapiadv...@google.com]

Hi Evan,

I'm not sure where the "Try It!" box gets that "issued_to" ID from; in my case too it doesn't seem to be one of my projects. The issued_to and audience of your generated token should be the client ID in the API console.

Just to be sure - which Google Account are you using, and which DFA user profile are you requesting? 816277?

Regards,

- Joseph DiLallo, the DFA API Team

On Wednesday, September 5, 2012 4:19:15 AM UTC-4, (unknown) wrote:

Hi Joseph!

Thanks to you, I know what's the problem now but I'm still not able to solve it. The APIs Console and the Report Builder will be managed with the same Google Account. When I login into Report Builder I'm able to choose the profile I would like to get the data from. When I go to the profile details at "Trafficking" then the check box "Linked to Google Account {MY ACCOUNT}" is checked. This means the profile is associated with the Google Account, right?

I compared the token info of both tokens (application token and Try It form token) and have noticed that the fields "issued_to" and "audience" are different. The application token info contains the client ID which I have created at the APIs Console. That's the same client ID which will be used to create the access token. The Try It form token info contains a different client ID. I don't know where the client ID comes from. Do you have an explanation for the different token infos?

Thanks in advance!

[dfaapiadv...@google.com]

Hi Evan!

I didn't post your reply to the last message (as you may have seen).

I'm having a hard time pinpointing if something is going wrong with your OAuth2 token or the DFA Reporting API, so I'm going to have to look into this further. Before I bring in some help on this, I have one last question:

Using your app-generated token (not the Try-It! box in our docs), what happens if you do a list on user profiles instead of getting one? The equivalent to this Try-It box. Do you see any user profiles? Do you see the one you're trying to get? If nothing shows up, I'm thinking something has to be wrong with the OAuth2 token. 

Thanks,

- Joseph DiLallo, the DFA API Team

[dfaapiadv...@google.com]

Hi Evan!

I'm not incredibly familiar with generating OAuth2 tokens by hand, honestly. I have been informed that we can trace your request though! This should let us figure out what's going wrong with your token.

Can I bother you generate a new access token with your app, then use it in the following URL:

https://www.googleapis.com/dfareporting/v1/userprofiles?access_token={YOUR TOKEN HERE}&trace=token:ACwti_cU5igd2ZzrZNQMrdhf6lY4e6ifjwDOzhelNyV9zcmSuYaMVrK0GioK6mQ9l0YzzUW6v0nI0jF1EZiiTdpNTXUlUAGeDw

Doing this trace will let us see what the system thinks is going on.

Cheers,

- Joseph DiLallo, the DFA API Team

On Thursday, September 6, 2012 3:02:56 AM UTC-4, (unknown) wrote:

Hi Joseph,

don't know why I didn't had the idea to list user profiles :-) However the response doesn't contain any profile:

{
 "kind": "dfareporting#userProfileList",
 "etag": "{THE ETAG}",
 "items": []
}

I compared the application token with the Try-It! token and noticed that they are different. The application tokens always starts with "1/" but the Try-It! tokens always starts with "ya29.".

As I mentioned in my first post I don't use any Google libraries. The OAuth2 procedure (JWT, etc.) has been implemented myself as described here. I attached my OAuth2 code. Maybe you are right and my OAuth2 code contains errors. Could you have a look please? If you would like to run this code then change the code at line 135 in OAuth2Manager.cs first. I need to subtract 2 hours to get UTC time.

Thanks,
Eugen

[dfaapiadv...@google.com]

Hello again!

It was not too late. I got a trace and I think I know what your problem is. Are you trying to use Service Accounts? 

It looks to me like you have a JWT token for a Service Account, but then have not requested delegated access. Take a look at the JWT documentation here: https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset

The first example JWT claim set looks like this: (This is the example from the docs, nothing specific to your app)

{
   "iss":"761326798069-r5mljlln1...@developer.gserviceaccount.com",
   "scope":"https://www.googleapis.com/auth/devstorage.readonly",
   "aud":"https://accounts.google.com/o/oauth2/token",
   "exp":1328554385,
   "iat":1328550785
}

Not that the "iss" is a gserviceaccount. Your request to the DFA Reporting API is authenticated as something similar to this, "{your service account}@developer.gserviceaccount.com". Since no DFA user profiles belong to this address, you're getting no access in the DFA Reporting API.

Are you using the "prn" field for delegated access, as in the second example on that page? You need to do this and request delegated access from your Google Apps e-mail address, which IS linked to DFA user profiles.

Regards,

- Joseph DiLallo, the DFA API Team

[Joseph DiLallo (DFA API Team)]

Hi Eugen,

Unfortunately, I think we've reached about the limit of my OAuth2 knowledge. :-( I don't think I can really help further with this, as I'm not familiar with how to set up service accounts.

I think you can find help with this elsewhere though, for example there is a forum for accessing Google APIs with OAuth2 here: https://groups.google.com/forum/#!forum/oauth2-dev

Sorry I don't have the answer this time. Hope they can solve it for you!

Regards,

- Joseph DiLallo, the DFA API Team

On Friday, September 14, 2012 3:16:26 AM UTC-4, (unknown) wrote:

Hi Joseph,

I was on vacation the last few days, that's why I didn't have answered you.

Yes, I'm using a Service Account for DFA API calls. Why the API doesn't answer that the account (or token) doesn't have the rights to make DFA API calls? This would save a lot of our time :-)

Seems that I didn't have seen the chapter about delegated access, that's why I didn't have used the "prn" parameter before.

I tried to append the "prn" parameter but I have got the following response.

{"error" : "access_denied"}

The documentation says that I need a domain administrator account to permit a user to make DFA API calls. As far as I know I don't have a domain administrator account. I think that's the reason why I can't find the configuration section described here.

Do you know how to solve the problem?

Best regards,
Eugen

Am Freitag, 7. September 2012 17:31:10 UTC+2 schrieb dfaapiadv...@google.com:

Hello again!

It was not too late. I got a trace and I think I know what your problem is. Are you trying to use Service Accounts? 

It looks to me like you have a JWT token for a Service Account, but then have not requested delegated access. Take a look at the JWT documentation here: https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset

The first example JWT claim set looks like this: (This is the example from the docs, nothing specific to your app)

{
   "iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j...@developer.gserviceaccount.com",
   "scope":"https://www.googleapis.com/auth/devstorage.readonly",
   "aud":"https://accounts.google.com/o/oauth2/token",
   "exp":1328554385,
   "iat":1328550785
}

Not that the "iss" is a gserviceaccount. Your request to the DFA Reporting API is authenticated as something similar to this, "{your service acco...@developer.gserviceaccount.com". Since no DFA user profiles belong to this address, you're getting no access in the DFA Reporting API.