This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

API scopes cloud-identity.devices

Posted on 09-15-2021 07:44 AM
ThatMat
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi,

I'm trying to make a script to pull and sync Company Owned Devices via Google Sheets and Apps Script so we can stop dealing with CSV's.

 

This API needs OAuth as it doesn't have apps script wrapper yet.

https://cloud.google.com/identity/docs/reference/rest/v1/devices/list

Authorization Scopes
Requires one of the following OAuth scopes:

All of them return: Error 400: invalid_scope

None of them are also on google scope list
https://developers.google.com/identity/protocols/oauth2/scopes

 

Does anyone have any ideas or implemented that API anywhere?

Solved Solved
3 12 4,442
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dawidbrygier
Bronze 2
Bronze 2
In response to davidsalomon
Reply posted on --/--/---- --:-- AM

ok, found the solution. cc @ThatMat @armoza @jautomatic 

Generally, this API and scopes are only accessible using service_account and authenticating using JWT token.

It took me some time but found https://cloud.google.com/identity/docs/how-to/setup-devices within the same section as API reference.

I've set it using CloudFunction with JWT mounted as secret. Not the easiest method, but at least it works.

However, it's overly complicated for what is required and how other API endpoints are set.

View solution in original post

Jump to Solution
12 REPLIES 12

Posted on --/--/---- --:-- AM
ThatMat
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I see no one has any idea so I've subscribed to google support to be able to open a ticket, I will post results here.

Jump to Solution

Posted on --/--/---- --:-- AM
armoza
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

hello, I'd love to hear about any update you've gotten. When I try and add this scope to my oauth app i get: "The following scope(s) were not added because they are invalid"

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davidsalomon
Staff
Reply posted on --/--/---- --:-- AM

I'm not too familiar with the Devices API, but it's relatively new. In Apps Script it's a fact that you can't use it because there's no any class yet.

The only way (AFAIK) you can get the list of devices is by impersonating an admin using a service account. I've done it on Postman and Google Colab (It's Python, so Jupyter or any Python CLI would work) 

You can post the feature idea on https://www.googlecloudcommunity.com/gc/Feature-Ideas/idb-p/workspace-ideas-groupidea-board to consider having a Devices Apps Script class in the future

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
armoza
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey @davidsalomon , thank you for your swift response, it is greatly appreciated. 

 

I'm working based on the documentation here, which states that this is the scope I should be using. That being said, in the list of oauth2 scoped here, I cannot find it.  I'm not sure how I can use that endpoint if the scope does not exist.

 

Thanks again for your help 

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davidsalomon
Staff
In response to armoza
Reply posted on --/--/---- --:-- AM

How are you implementing your code? The most similar I found in the list is this 

 I don't promise anything but if you want share your code and I can test it out on my end, for security, delete any personal detail 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jautomatic
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi I am also seeing an error when using those scopes.

I have since tried using a different scope: 

auth/cloud-identity.devices.lookup

 
 but am now getting a 403 error 
  1. message: Request had insufficient authentication scopes.
  2. status: PERMISSION_DENIED
Jump to Solution

Posted on --/--/---- --:-- AM
dawidbrygier
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi there,

The same issue here - no way to authorize as scopes are missing.

Any update on Google side?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davidsalomon
Staff
In response to dawidbrygier
Reply posted on --/--/---- --:-- AM

file a support ticket or provide more details about your issue

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dawidbrygier
Bronze 2
Bronze 2
In response to davidsalomon
Reply posted on --/--/---- --:-- AM

ok, found the solution. cc @ThatMat @armoza @jautomatic 

Generally, this API and scopes are only accessible using service_account and authenticating using JWT token.

It took me some time but found https://cloud.google.com/identity/docs/how-to/setup-devices within the same section as API reference.

I've set it using CloudFunction with JWT mounted as secret. Not the easiest method, but at least it works.

However, it's overly complicated for what is required and how other API endpoints are set.

Jump to Solution

Posted on --/--/---- --:-- AM
ThatMat
Bronze 5
Bronze 5
In response to dawidbrygier
Reply posted on --/--/---- --:-- AM

I will have a look but I'm pretty sure I've done that, just used oAuth instead of JSON for authentication.

It's also possible google just fixed it, 5 months after all.

What API's your project has and what permissions you gave to the service account?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adelfarag
Bronze 5
Bronze 5
In response to ThatMat
Reply posted on --/--/---- --:-- AM

Did it work for you?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Working on a similar thing here. I want to create a cloud function in GCP to look at our devices. While doing some local testing using github.com/GoogleCloudPlatform/functions-framework-go/functions the following happens. 

 

# I use gcloud to use my admin credentials for testing which will create ADC (Application 
# Default Credentials) that google libraries will find 
$ gcloud auth application-default login

# But when I create a cloudidentiy service and try to call devices.list that returns 
# "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"

# So I try and add the scope from this page #https://developers.google.com/identity/protocols/oauth2/scopes#cloudidentity
$ gcloud auth application-default login --scopes="https://cloud.google.com/identity/"

# But that returns Error 400: invalid_scopes

 

Any thoughts would be appreciated 

Jump to Solution
Top Solution Authors
View all