POSTMAN: Could not complete OAuth2.0 login

Question

I want to request a token in order I can have my Postman logged in my Gmail acocount and then I can call Google Cloud APIs.

I am trying by typing my Gmail email address and its password as you can see from this picture

The final goal is get APIs like this

https://monitoring.googleapis.com/v1/projects/firetestjimis/dashboards

I can do it by login with my Gmail account from gcloud ("gcloud auth application-default login"), then print the token with gcloud auth application-default print-access-token, copy the printed token and paste it in Access Token (Postman). Well it works, but it is kind of obligating me to start gcloud and has it installed. I am pretty sure I can reach same idea by sign with same user I sign in gcloud. I just don't know how to do it with Postman. All I have read last hours drove me to the image I pasted above but it is failling with error from this question.

In case it is relevant, here is the gcloud console where I get the token

C:\Program Files (x86)\Google\Cloud SDK>gcloud auth application-default print-access-token
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\bin\..\lib\third_party\google\auth\_default.py:69: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/
  warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
ya29.a0Ae4lvC3-3WxUmx... removed token ... hs251yTql3eEE

C:\Program Files (x86)\Google\Cloud SDK>

*** Edited a bit after firstly posted

Other tentative is resulting in

Erro 400: invalid_request
Invalid parameter value for redirect_uri: Missing scheme: /

When I tried

The Client Id I copied from

*** edited after Madhead's suggestion

I followed carefully all steps proposed and indeed I can get a Google Token straight from Postman by clicking on Get New Access Token. Nevetheless it gets

{
  "error": {
    "code": 403,
    "message": "Request had insufficient authentication scopes.",
    "status": "PERMISSION_DENIED"
  }
}

For these two tentatives from Postman (pasted curl script since it is easier to evaluated from others than a Postman printscreen)

curl --location --request GET 'https://monitoring.googleapis.com/v1/projects/firetestjimis/dashboards' --header 'Authorization: Bearer ya29. *** token *** kO3Fg'

curl --location --request POST 'https://firestore.googleapis.com/v1/projects/firetestjimis/databases/(default)/documents:runQuery' --header 'Authorization: Bearer ya29. *** token *** kO3Fg' --header 'Content-Type: application/json' --data-raw '{
"structuredQuery": {
    "where" : {
        "fieldFilter" : { 
        "field": {"fieldPath": "id"}, 
        "op":"EQUAL", 
        "value": {"stringValue": "1"}
        }
    },
    "from": [{"collectionId": "transfer"}]
    }
}'

Here is the OAuth Client ID created in credentials screen

{"web":{"client_id":"7953 *** 5k6e9ivtdg.apps.googleusercontent.com","project_id":"firetestjimis","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"IJGCe *** Du6bU","redirect_uris":["https://oauth.pstmn.io/v1/callback"]}}

as downlowaded from

And here is the

*** edited

edited

*** edited after succesfully added two scopes

It says "Because you've added a sensitive scope, your consent screen requires verification by Google before it's published"

And when I clicked in "Submit for verification" I see it complaining of Application Homepage and Application Privacy links

madhead · Accepted Answer · 2020-05-26T20:24:47.433

8

It's actually possible to use Postman to access OAuth 2.0 secured Google APIs.

First, you need to create an OAuth client in your Google Cloud Console project. It should be a "Web application" client, and the redirect URI should be https://oauth.pstmn.io/v1/callback:

Take a note of the Client ID and Client Secret:

Now, go to the Postman. Create new request. On the "Authorization" tab, select OAuth 2.0 and then click "Get New Access Token":

Fill in the form.

Callback URL: https://oauth.pstmn.io/v1/callback (will be set up automatically by Authorize using browser).
Authorize using browser: true
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
Client ID: ${your client id}
Client Secret: ${your cluent secret}
Scope: ${your scopes}, e.g. https://www.googleapis.com/auth/gmail.readonly for Gmail read-only access. Make sure that corresponding scopes and API's are allowed in your project (e.g. on consent scree configuration page).

Click "Request Token". The browser will open Google's OAuth consent screen of pstmn.io app. Log in if necessary and grant the access. At the end of the process, a pop-up will be opened (make sure it is not blocked by your browser), redirecting you back to the Postman app.

Go and use your token!

edited May 26 '20 at 20:24

answered May 22 '20 at 12:37

madhead

31,729
16
153
201

thanks. I follwed carefully your suggestion and I get "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "status": "PERMISSION_DENIED" } when I try these two request using the Token. (1) post to https://firestore.googleapis.com/v1/projects/firetestjimis/databases/(default)/documents:runQuery and (2) get from https://monitoring.googleapis.com/v1/projects/firetestjimis/dashboards. Am I missing an extra step? I added the whole curl above – Jim C May 26 '20 at 18:53
1

Seems like the request you do uses the scopes you haven't asked for. – madhead May 26 '20 at 18:55
I believe I have failed on following this step "Make sure that corresponding scopes and API's are allowed in your project (e.g. on consent scree configuration page)". Kindly, can you exemplify or add a printscreen about what I must do in consent screen? – Jim C May 26 '20 at 19:17
1

@JimC, take a look at the updated answer. I've added a screenshot. The scopes are really project-dependent, and you should choose those you need. – madhead May 26 '20 at 19:28
I understood from your screenshot that I missed add two scopes:../auth/gmail.readonly and ../auth/gmail.labels. I tried but it didn't seem to be saved – Jim C May 26 '20 at 19:44
I added a new screenshot when showed this error: The following scope was not added because it is invalid: ../auth/gmail.readonly – Jim C May 26 '20 at 19:50
When you said "The scopes are really project-dependent, and you should choose those you need" does it mean that instead of adding ../auth/gmail.readonly and ../auth/gmail.labels I should something like https://monitoring.googleapis.com/v1/projects/firetestjimis/dashboards and https://firestore.googleapis.com/v1/projects/firetestjimis/databases/(default)/documents:runQuery. If so, how? I added a new screenshot – Jim C May 26 '20 at 20:21
1

Of course. It means that you should add the scopes you need. In my example I use Gmail scopes because I demonstrate using the Gmail API. – madhead May 26 '20 at 20:22
1

@JimC. See another screenshot. Just press "Add scope" button and use the search for "Monitoring". You can even add all the monitoring scopes if you're not sure what you need. – madhead May 26 '20 at 20:25
so weird. You typed Cloud Monitoring API and you had at least 4 options. I tried and I don't see any option at all. I will add another sreenshot and you can see nothing appears to me – Jim C May 26 '20 at 20:30
ohh my goodness, really my bad. I typed both Cloud Monitoring API and Cloud Firestore API and it didn't bring any result. If I typed either one I get results – Jim C May 26 '20 at 20:39
It seems I have to wait until Google allows it. I see "Use of this API scope will be restricted until it is approved." on left side of each scope and I can read also "Scopes for Google APIs Scopes allow your application to access your user's private data. Learn more If you add a sensitive scope, such as scopes that give you full access to Calendar or Drive, Google will verify your consent screen before it's published. Because you've added a sensitive scope, your consent screen requires verification by Google before it's published". Do I have to do any further step? Added new screen – Jim C May 26 '20 at 20:46
I added two more screenshots. I guess I just have to wait for while, right? A bit strange I click in "Submit for verification" and it complains about two links: Application Homepage link and Application Privacy Policy link. Well, I don't suck urls since I am using only Firestore. I am not hosting a Web Application in Google Virtual Machines. Our company will only use Firestore for Real Time Database. Can I ignore the button "Submit for verification" or it is mandatory in order to use OAuth Consent Screen with Cloud Monitoring API and Cloud Firestore API scopes? – Jim C May 26 '20 at 20:56
1

That's ok. You can use APIs now. Look at my screenshot, there is an warning triangle too. That just means that you cannot publish your app and have > 100 users yet, but it's totally ok to use the API yourself. – madhead May 26 '20 at 22:10
1

The review is mandatory only if you want to publish the app and have thouthands lot of customers. But you can go ahead and test your code right now. – madhead May 26 '20 at 22:11
now I got this error: "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "status": "PERMISSION_DENIED" }. It seems I choose wrong scopes. Do you know if I should pick other scope than "Cloud Monitoring API" and "Cloud Firestore API" in order to reach "https://monitoring.googleapis.com/v1" and "https://firestore.googleapis.com/v1/" respectvelly? – Jim C May 27 '20 at 01:05
I checked and I have 5 added scopes: they are ../auth/datastore ../auth/cloud-platform ../auth/monitoring.read ../auth/monitoring ../auth/monitoring.write. Any clue if I should add others also? – Jim C May 27 '20 at 01:11
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/214765/discussion-between-jim-c-and-madhead). – Jim C May 27 '20 at 18:21
@madhead - I try to add https://oauth.pstmn.io/v1/callback to 'Authorized redirect URIs' in the google API console credentials page, however when I click 'SAVE' or 'CREATE' (if creating the credentials for the first time), the page hangs with a spinning symbol on the 'SAVING' button. Can you suggest anything? Is this a domain authorisation issue? – rnoodle Jun 15 '21 at 14:59
@madhead - I think i needed to set the scopes first before attempting to add a redirect URI - see my answer here https://stackoverflow.com/questions/67992003/google-api-credentials-screen-stuck-spinning-after-adding-a-postman-redirect-uri – rnoodle Jun 15 '21 at 21:49

score 3 · Answer 2 · answered May 05 '20 at 20:16

3

You cannot achieve your goal of logging into Google Accounts using this method. Client ID and Client Secret are not your username and password. They are the credentials for your authentication client.

If you want to use Google user credentials, you will need to implement a supported Google OAuth Flow. There are several methods but all involve a web browser to handle the username and password entry.

In order to generate an OAuth Token (Access/Identity/Refresh), you will also need to specify the scope of access. This could involve/require a security audit of your application. Therefore, I recommend that you use Google supported libraries unless you desire to understand the implementation details of OAuth Flows.

Authenticating as an End User

answered May 05 '20 at 20:16

John Hanley

74,467
6
95
159

regard you comment about "Client ID and Client Secret are not your username and password. They are the credentials for your authentication client." is 100% clear. Also I was expecting Postman to pop up a Browser so I could login in gmail. It happens the same with gcloud. BTW, are you sure I can't simply use Postman to request a token more or less how I am doing? It seems someone accomplish it https://stackoverflow.com/questions/32076503/using-postman-to-access-oauth-2-0-google-apis – Jim C May 05 '20 at 20:32
1

My answer is to answer your question. In regards to the link, If you use the correct credentials, you will receive a URL to enter into a browser. Try going thru the steps in the link provided, it won't work today without a browser handling authentication or a browser plugin that follows Google's rules. Google does not want bots to be able to brute force logins. Google now requires human interaction as part of the authentication process. Today, the best you will achieve is a security lock on your account using the linked method. – John Hanley May 05 '20 at 20:46
thanks for all you contribution. It seems it is indeed possible: "I want to request a token in order I can have my Postman logged in my Gmail acocount and then I can call Google Cloud APIs". It seems I was just following wrong steps. – Jim C May 27 '20 at 22:38

score 0 · Answer 3 · answered Aug 13 '21 at 12:04

I was having the same issue and solved it by fixing the incorrect (probably old) API URLs.

Make sure you are using the right authorization endpoint URLs. To do this, download the JSON file that includes the information needed to authorize your application. You can reach the link to the file by following Home > APIs & Services > Credentials from the left menu then OAuth 2.0 Client IDs.

It will provide the information like below:

{
    "web": {
        "client_id": "xxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
        "project_id": "xxxxxxxxxxxxxx",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "xxxxxxxxxxxxxxxxxxxxxxx",
        "redirect_uris": [
            "https://oauth.pstmn.io/v1/browser-callback"
        ]
    }
}

POSTMAN: Could not complete OAuth2.0 login

3 Answers3

Linked