My Business
2.3K members online now
2.3K members online now
For developers who are using the Google My Business API to manage locations
Guide Me
star_border
Reply

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

[ Edited ]
Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

 

Hi,
we encounter a problem using Google My business API.
We wrote python scripts which ran perfectly until last week.
Our problem had appeared suddenly, without any change in our code.

Here's our simplified code:

 

# Note: oauth2client version 4.0.0
from oauth2client.service_account import ServiceAccountCredentials
# Note: httplib2 version 0.10.3
from httplib2 import Http
import json

scopes = ['https://www.googleapis.com/auth/plus.business.manage']
keyFile = 'xxxxxx.json'
delegateId = 'xxxx@yyyyy.com'
url_request = r'https://mybusiness.googleapis.com/v3/accounts'

credentials = ServiceAccountCredentials.from_json_keyfile_name(keyFile, scopes=scopes)
delegated_credentials = credentials.create_delegated(delegateId)
http_auth = delegated_credentials.authorize(Http())

response, content = http_auth.request(url_request)

 

This code raise a exception caused by a 401 http error, with this returned message:
"Client is unauthorized to retrieve access tokens using this method"

Once again, this error had appeared suddenly last week without any change on our part.
Furthermore, if we don't use the impersonation:
[...]
credentials = ServiceAccountCredentials.from_json_keyfile_name(keyFile, scopes=scopes)
http_auth = credentials.authorize(Http())
response, content = http_auth.request(url_request)
[...]
this run perfectly. So the problem is probably in relation to impersonation in the 2-legged oauth process.
We use impersonation because our application must access to locations of several accounts.
Thanks a lot in advance !

1 Expert replyverified_user

Re: suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Google Employee
# 2
Google Employee

Hi @GMB I,

 

Since you are building a service account application, please make sure you are requesting user consent involving human interaction for each Google Account that you need to access the Google My Business data from and manually authorize your app during OAuth 2.0 flow at least once prior to authenticating with the public/private key pair. You can request user consent using OAuth 2.0 installed applications flow, OAuth 2.0 web server applications flow or via OAuth 2.0 Playground. However, you don’t have to save your retrieved refresh tokens for a service account application. Instead, you specify the user to impersonate by specifying the email address of the user account for access to their Google My Business data when you prepare to make authorized API calls. This is because a service account is an account that belongs to your application instead of an individual end user with a Google Account.

 

Please check out this Accepted Solution for requesting user consent for a service account application.

 

Thanks,

The Google My Business API team

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Visitor ✭ ✭ ✭
# 3
Visitor ✭ ✭ ✭

Hi,
thanks for your reply.
In order to use OAuth 2.0 Playground, I've created an client ID for web application as as shown in this tuto:
https://developers.google.com/my-business/content/get-started#make_a_simple_http_request
I was so able to request the list of accounts successfully (using this uri:https://mybusiness.googleapis.com/v3/accounts)
Nevertheless the script given in my last message in the case of an impersonation (or delegation) still doesn't work !
I receive the same status code (401) and the same message (Client is unauthorized to retrieve access tokens using this method).
Could you be please to explain me why this problem appeared suddenly ?
And do you have a working sample combining the My business API usage with the usage of a service account and a JWT build from the console dev (https://console.developers.google.com/apis/credentials) ?
Thanks a lot in advance !

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Follower ✭ ☆ ☆
# 4
Follower ✭ ☆ ☆

I just went through this with my gmb api access, looks like either https://www.googleapis.com/oauth2/v4/token introduces a change that breaks my original authentication,  or I missed something and we need to re-authenticate every once in a while.

 

Was there a notification on this change?

Re: suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Google Employee
# 5
Google Employee

Hi @GMB I & @Jeremy M,

 

Could you please try regenerate your credentials file and also redo the process of granting permissions from the original account to see if it fixes the issue. Please let me know if this issue recurs.

 

Thanks,

The Google My Business API team

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Visitor ✭ ✭ ✭
# 6
Visitor ✭ ✭ ✭

Hi

we have done all those many times (in fact many many times, because we get stuck by this problem and cannot progress our dev). It does absolutely nothing so far.

It becomes a big problem because we are wasting a lot of time.

Thanks in advance

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Follower ✭ ☆ ☆
# 7
Follower ✭ ☆ ☆

Regeneration worked for me. 

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Visitor ✭ ✭ ✭
# 8
Visitor ✭ ✭ ✭

HI Jeremy,

thanks for your reply.That gives me some hope !

What do you mean by regeneration: regeneration of the service account or regeneration of the JWT and key ?

Thanks in advance

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Visitor ✭ ✭ ✭
# 9
Visitor ✭ ✭ ✭

Hi,
We still have the same problem.
We reinitialized almost everthing.

Here's an accurate description of the current context:
1- We have created a Google My Business account, let say A1. This account has been added as the manager of the locations of several other business Google My Business accounts (in order to manage their locations).
2- We have created a second Google account, let say A2.
3- With the account A2, we have created a project (approved by Google), let say P2, and we have activated the GMB API for this project.
4- With the account A2, and under the project P2 we have created an OAuth 2.0 client IDs, let say C2.
5- With the account A1, we use the Playground online application in order to validate the user consent for C2. After this step, the app (or project) P2 appeared under the list of connected application of the A1 account.
We also wrote a python script to test the "OAuth 2.0 installed applications" flow which ran properly.
6- From that moment, we can use the Client ID C2 to get an access token, and use it to request the GMB API and retrieve the list of the accounts (through https://mybusiness.googleapis.com/v3/accounts) managed by A1, and their individual locations.
7- We create a service account (let say SA2) under the A2 account and its P2 project, and downloaded a JWT token for this service account.
8- We use the python script described in my first message to list the accounts managed by A1. If we don't use the "delegation" (sub attribute in the token), the request to the GMB API returns a single account
9- BUT, if we use the delegation or impersonation (that is sub=A1), we get back the 401 http error, with this returned message:"Client is unauthorized to retrieve access tokens using this method"

So this fact seems to indicate that the delegation/impersonation process is the origin of the error.

I hope I have made myseft clear by now.

Thanks in advance for your support !

regards

suddently unauthorized to retrieve access tokens when using delegation (URGENT, please)

Visitor ✭ ✭ ✭
# 10
Visitor ✭ ✭ ✭

Hello,

I didn't receive an answer to my last question.

Is there a way to have support concerning a problem with the use of both service account and delegation ?

Thanks a lot in advance !