search

GAM-team / GAM

command line management for Google Workspace
https://github.com/GAM-team/GAM/wiki
Apache License 2.0
3.54k stars 473 forks source link

unauthorized_client error for show vacation command #1608

Closed davidsev7 closed 1 month ago

davidsev7 commented 1 year ago

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User sev@uci.edu: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

[root@igs1 gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as oit-eus-igs-ga@uci.edu: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. [root@igs1 gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

taers232c commented 1 year ago

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.***

davidsev7 commented 1 year ago

I did that and issued another gam user sev show vacation which failed as before. The check service account still looks good.

David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

taers232c commented 1 year ago

David,

If you're still available, send me a Meet/Zoom invitation.

Ross

Ross Scroggs @.***

On Feb 28, 2023, at 5:53 PM, David Severance @.***> wrote:

I did that and issued another gam user sev show vacation which failed as before. The check service account still looks good.

David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449195950, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL4TZYIRRIV426WHGRTWZ2TYFANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you commented.

davidsev7 commented 1 year ago

https://uci.zoom.us/j/95042426826 https://uci.zoom.us/j/95042426826

Try this, David

On Feb 28, 2023, at 6:24 PM, Ross Scroggs @.***> wrote:

David,

If you're still available, send me a Meet/Zoom invitation.

Ross

Ross Scroggs @.***

On Feb 28, 2023, at 5:53 PM, David Severance @.***> wrote:

I did that and issued another gam user sev show vacation which failed as before. The check service account still looks good.

David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449195950, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL4TZYIRRIV426WHGRTWZ2TYFANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you commented.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449228967, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJT3TLSLFJ4CYDCV5SOTWZ2XMJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

davidsev7 commented 1 year ago

https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09 https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09

This one is better. I’m in there now. David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

taers232c commented 1 year ago

David,

I just finished dinner; I'm trying to join but it says I have to have an account.

Ross

Ross Scroggs @.***

On Feb 28, 2023, at 6:52 PM, David Severance @.***> wrote:

https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09 https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09

This one is better. I’m in there now. David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449253061, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL5CLG4IMVP6FBFAHXDWZ22YRANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you commented.

taers232c commented 1 year ago

David,

I made a Zoom account now I get a message saying that the meeting is for authorized participants only.

Ross

Ross Scroggs @.***

On Feb 28, 2023, at 6:52 PM, David Severance @.***> wrote:

https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09 https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09

This one is better. I’m in there now. David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449253061, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL5CLG4IMVP6FBFAHXDWZ22YRANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you commented.

davidsev7 commented 1 year ago

Try it again, I’ve changed my settings to drop the auth part.

On Feb 28, 2023, at 7:26 PM, Ross Scroggs @.***> wrote:

David,

I made a Zoom account now I get a message saying that the meeting is for authorized participants only.

Ross

Ross Scroggs @.***

On Feb 28, 2023, at 6:52 PM, David Severance @.***> wrote:

https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09 https://uci.zoom.us/my/davidseverance?pwd=OFA2Mjd0cFhLZk1aOVQ4R095V2h6UT09

This one is better. I’m in there now. David

On Feb 28, 2023, at 4:08 PM, Ross Scroggs @.***> wrote:

David,

Do: gam oauth delete gam oauth create

Ross

On Tue, Feb 28, 2023 at 4:00 PM David Severance @.***> wrote:

The issue tracker is for reporting product deficiencies. "How do I?" questions should be posted to the discussion forum at https://groups.google.com/group/google-apps-manager. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

Full steps to reproduce the issue:

  1. gam user sev show vacation

Expected outcome (what are you trying to do?):

The vacation settings

Actual outcome (what errors or bad behavior do you see instead?):

ERROR: User @.***: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I also did this to validate my service account...

@. gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as @.: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized. @.*** gam]#

The service account client ID matches too. This all used to work earlier this year until I tried it today.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3FSDEFMKTPLA2LQZLWZ2GRNANCNFSM6AAAAAAVLLZAEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.*** — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449115338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJTYYOCIYPQ4T56KEWU3WZ2HQJANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449253061, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL5CLG4IMVP6FBFAHXDWZ22YRANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you commented.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1608#issuecomment-1449277829, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJLJJT27TAA4O6DITNWQ27TWZ26XVANCNFSM6AAAAAAVLLZAEQ. You are receiving this because you authored the thread.

— David Severance Email to: @.*** Visit me at http://www.sblk.net/ (949) 351-2525

davidsev7 commented 1 year ago

Before I headed to bed I checked on the status of the auth with the advanced gam...

[root@igsx gamadv-xtd3]# ./gam user oit-eus-igs-ga check serviceaccount System time status Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication Authentication PASS Service Account Private Key age; Google recommends rotating keys on a routine basis Service Account Private Key age: 0 days PASS Domain-wide Delegation authentication:, User: oit-eus-igs-ga@uci.edu, Scopes: 28 https://mail.google.com/ PASS (1/28) https://sites.google.com/feeds PASS (2/28) https://www.googleapis.com/auth/apps.alerts PASS (3/28) https://www.googleapis.com/auth/calendar PASS (4/28) https://www.googleapis.com/auth/classroom.announcements PASS (5/28) https://www.googleapis.com/auth/classroom.coursework.students PASS (6/28) https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (7/28) https://www.googleapis.com/auth/classroom.profile.emails PASS (8/28) https://www.googleapis.com/auth/classroom.rosters PASS (9/28) https://www.googleapis.com/auth/classroom.topics PASS (10/28) https://www.googleapis.com/auth/cloud-identity PASS (11/28) https://www.googleapis.com/auth/cloud-platform PASS (12/28) https://www.googleapis.com/auth/contacts PASS (13/28) https://www.googleapis.com/auth/contacts.other.readonly PASS (14/28) https://www.googleapis.com/auth/datastudio PASS (15/28) https://www.googleapis.com/auth/directory.readonly PASS (16/28) https://www.googleapis.com/auth/documents PASS (17/28) https://www.googleapis.com/auth/drive PASS (18/28) https://www.googleapis.com/auth/drive.activity PASS (19/28) https://www.googleapis.com/auth/drive.admin.labels PASS (20/28) https://www.googleapis.com/auth/drive.labels PASS (21/28) https://www.googleapis.com/auth/gmail.modify PASS (22/28) https://www.googleapis.com/auth/gmail.settings.basic PASS (23/28) https://www.googleapis.com/auth/gmail.settings.sharing PASS (24/28) https://www.googleapis.com/auth/keep PASS (25/28) https://www.googleapis.com/auth/spreadsheets PASS (26/28) https://www.googleapis.com/auth/tasks PASS (27/28) https://www.googleapis.com/auth/userinfo.profile PASS (28/28) All scopes PASSED!

Service Account Client name: 101976691844374140617 is fully authorized.

[root@igsx gamadv-xtd3]# ./gam user sev show vacation User: sev@uci.edu, Vacation: Enabled: False Contacts Only: False Domain Only: False Start Date: 2022-10-15 End Date: 2022-10-20 Subject: Message:

I will be out of the office in Utah on vacation. I will be checking my emails in the evening but most things will need to wait until I return. If you need something escalated please talk with my manager Jed Rogge <jed@uci.edu>

Thanks,
David

[root@igsx gamadv-xtd3]# ./gam user oit-eus-igs-ga show vacation User: oit-eus-igs-ga@uci.edu, Vacation: Enabled: False Contacts Only: False Domain Only: False Subject: Message: None

Both show vacation commands worked, the non priv account and the super admin account. Then for giggles I went to the regular GAM 6.50 directory and checked again...

[root@igsx gamadv-xtd3]# cd ../gam [root@igsx gam]# ./gam user oit-eus-igs-ga check serviceaccount Computer clock status: Your system time differs from admin.googleapis.com by less than 1 second PASS Service Account Private Key Authentication: Authenticating... PASS Checking key age. Google recommends rotating keys on a routine basis... Your key is old. Recommend running "gam rotate sakey" to get a new key Key is 89 days old WARN Domain-Wide Delegation authentication as oit-eus-igs-ga@uci.edu: https://mail.google.com/ PASS https://www.googleapis.com/auth/apps.alerts PASS https://www.googleapis.com/auth/calendar PASS https://www.googleapis.com/auth/cloud-identity PASS https://www.googleapis.com/auth/drive PASS https://www.googleapis.com/auth/drive.activity PASS https://www.googleapis.com/auth/gmail.settings.basic PASS https://www.googleapis.com/auth/gmail.settings.sharing PASS https://www.googleapis.com/auth/spreadsheets PASS

All scopes passed! Service account 100320192155763691457 is fully authorized.

The service account still worked but now both the normal and super admin accounts worked...

[root@igsx gam]# ./gam user oit-eus-igs-ga show vacation User: oit-eus-igs-ga@uci.edu, Vacation: (1/1) Enabled: False

[root@igsx gam]# ./gam user sev show vacation User: sev@uci.edu, Vacation: (1/1) Enabled: False

Since we were having huge propagation delays I wonder if there is something to that but why would it pass checks earlier yet fail an actual show vacation command? Not sure if there is any more info to be gleaned or you want we to collect. thanks, David