search

taers232c / GAMADV-XTD3

Command line tool to manage Google Workspace
732 stars 86 forks source link

Error 400 (invalid_request) while authorizing scopes #147

Closed vargiuscuola closed 3 years ago

vargiuscuola commented 3 years ago

Hi, I'm lately getting the following error:

Error 400: invalid_request
Account restricted

while authorizing scopes.

I found out that unselecting the scope admin.chrome.printers (item 25 Directory API - Printers (supports readonly)) solve the problem.

taers232c commented 3 years ago

Varglu,

Have you done: gam update project

Ross

On Mon, Apr 12, 2021 at 11:38 AM Vargiu Scuola @.***> wrote:

Hi, I'm lately getting the following error:

Error 400: invalid_request Account restricted

while authorizing scopes.

I found out that unselecting the scope admin.chrome.printers (item 25 Directory API - Printers (supports readonly)) solve the problem.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/147, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLZSTBHXYSE6JCI76XTTIM44DANCNFSM42Z2PUXQ .

-- Ross Scroggs @.***

vargiuscuola commented 3 years ago

No, it's a new project so I did gam create project and then oauth create

taers232c commented 3 years ago

Do: gam show admin user @.***

Substitute the user you used in gam oauth create for @.***

Do you get a super admin entry like this? Role Assignment ID: 597407939166212 (1/3) roleId: 597407939166209 role: _SEED_ADMIN_ROLE assignedTo: 123763751091086757999 assignedToUser: @.*** scopeType: CUSTOMER

Ross

@.***

On Apr 12, 2021, at 6:23 PM, Vargiu Scuola @.***> wrote:

No, it's a new project so I did gam create project and then oauth create

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/147#issuecomment-818362340, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL2HKVXFGZV6LGXWTV3TIOMKJANCNFSM42Z2PUXQ.

vargiuscuola commented 3 years ago

I get:

Show 1 Role Assignment ID
  Role Assignment ID: 45285622457303064
    roleId: 45285622457303045
    role: _SEED_ADMIN_ROLE
    assignedTo: 116052004007823442151
    assignedToUser: <account>
    scopeType: CUSTOMER

The outcome of gam oauth create in my case depends exclusively on the fact I select or unselect the Directory API - Printers (supports readonly) scope.

taers232c commented 3 years ago

Vargiu,

You'll have to ask Google as to why that scope is restricted on your account. You're the first person to have reported this so I suspect that it is account specific.

Send me a Meet/Zoom invitation.

Ross

On Tue, Apr 13, 2021 at 7:50 AM Vargiu Scuola @.***> wrote:

I get:

Show 1 Role Assignment ID Role Assignment ID: 45285622457303064 roleId: 45285622457303045 role: _SEED_ADMIN_ROLE assignedTo: 116052004007823442151 assignedToUser: scopeType: CUSTOMER

The outcome of gam oauth create in my case depends exclusively on the fact I select or unselect the Directory API - Printers (supports readonly) scope.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/147#issuecomment-818797976, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL6YCOABQ3GSISECMQDTIRK3ZANCNFSM42Z2PUXQ .

-- Ross Scroggs @.***

vargiuscuola commented 3 years ago

That is an account for which I did all configuration a couple of months ago without problems. I don't need that scope, so if it's a problem limited to that specific account that's ok: I reported it in case it's a common problem.

I sent you an invitation by email

taers232c commented 3 years ago

I didn't get the invitation, resend to ross.scroggs@gmail.com.

taers232c commented 3 years ago

If you created the project a couple of months ago, the API was probably not included in the project. What does gam update project show?

vargiuscuola commented 3 years ago

It shows the 27 APIs and they are all enabled, but again oauth create fail if the printer scope is selected.

I tried with different service account users on different domains and it's all ok, I think the problem is related to that specific account and not to GAM.

Thank you Stefano

vargiuscuola commented 3 years ago

I reopen the issue because I'm getting the same error quite often while configuring unrelated accounts on different domains. At the moment I got this error 4 times out of 5, and considering how regularly it's happening I wonder if anyone else is experiencing it.

taers232c commented 3 years ago

Send me a Meet/Zoom invitation.

vargiuscuola commented 3 years ago

I think I found the solution to this problem. Apparently the admin.chrome.printers scope needs the Access to additional services without individual control for all organizational units turned on (it's on the top of Additional Google services page)