Google keep api responds with invalid scope when using documented scopes

Question

Above the issue

I am trying to fetch access token to read data from my own google account using vb.net window forms application . Am I missing anything?

Why should it open web browser for authorization? I just need to access my own data only.

Window form Code

Private Async Sub GetToken()
    Dim scopes As New List(Of String)
    scopes.Add(KeepService.Scope.Keep)

    Dim stream = New FileStream("file path.json", FileMode.Open)
    Dim _userCredentials As UserCredential = 
        Await Google.Apis.Auth.OAuth2.GoogleWebAuthorizationBroker.AuthorizeAsync(
        GoogleClientSecrets.Load(stream).Secrets, scopes, "user", System.Threading.CancellationToken.None)
End Sub

Error Details

Authorization Error Error 400: invalid_scope Some requested scopes cannot be shown: [https://www.googleapis.com/auth/keep]

this is saying the scope is invalid, try something like `profile` instead — traveler3468, Dec 11 '21 at 07:04
that is fine but will it allow me to download my own data as an API administrator? — Pankaj, Dec 11 '21 at 23:26
What type of data are you wanting to download? Is there a section where you can see your registered application and within there see which scopes are defined? — traveler3468, Dec 11 '21 at 23:54
Downloading the data is a secondary job, Firstly, google is not even allowing me to authorize own api using my own api credentials. it seems like there is no such google api that lets me download my own google Keep data without web browser based authentication. — Pankaj, Dec 12 '21 at 00:03
@Pankaj without user interaction is called service account authorization. That is completely different to what you are doing now which is using Oauth2 to authorize a user. From what i can tell this is an error in the api unrelated to the type of authorization you are trying to use. — Linda Lawton - DaImTo, Dec 14 '21 at 14:45

Linda Lawton - DaImTo · Answer 1 · 2021-12-16T09:40:29.683

If we check the documentation for Notes.list method you will notice that it states that you need to use one of the following scopes

I have tested it with the following C# code

 var credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(GoogleClientSecrets.FromFile(clientSecretJson).Secrets,
                new []{KeepService.ScopeConstants.KeepReadonly, KeepService.ScopeConstants.Keep},
                "userName",
                CancellationToken.None,
                new FileDataStore("credPath", true));
            
            
            var service = new KeepService(new BaseClientService.Initializer()
            {
                HttpClientInitializer = credential,
                ApplicationName = "Google Keep Oauth2 Authentication Sample"
            });

            var notes = await service.Notes.List().ExecuteAsync();

In both instances I get the following error message

As you can see from the error message this the library is passing the proper scope as documented. Its the Google keep api itself that is refusing the scope.

In my opinion this is a bug in the api and i have posted an issue on the issue tracker 210500028

Update 16-12-2021: google has verified this bug and are now investigating internally.

workspace

There is a note on this api. It appears that it may only work with Workspace domain accounts. I did test it with a normal Gmail account as well as with a Workspace domain account. The results were the same.

This API is an enterprise-only API used to create and manage the Keep notes within your domain, including resolving issues identified by CASB software.

it works if we add only email scope, but at the end I had to face permission issue. Here is the screenshot. https://i.stack.imgur.com/TeCFQ.png — Pankaj, Dec 15 '21 at 22:29
This is not part of the original question you may want to open a new question.. make sure the user you are authorizing with has access on the workspace domain account to use this api. — Linda Lawton - DaImTo, Dec 16 '21 at 09:38
Google has now verified this as a bug. And are investigating internally. — Linda Lawton - DaImTo, Dec 16 '21 at 09:39

score 0 · Answer 2 · answered Dec 15 '21 at 01:12

I have provided support to issues with Keep API before as Admin's have regularly issues with this API.

Currently the Keep API uses: .../auth/keep and .../auth/keep.readonly scopes for OAuth. These scopes are not allowed on the consent screen. An application that requires Keep scopes can be authenticated if you as a Domain administrator pre approve the scope[s] for the application or by using a service account:

Admin approval: You can authorize it by being a Super Administrator as Keep is an Enterprise only API. If it is a Marketplace app you can authorize it by allowlisting the client Id for Keep Scopes from the Admin console for your domain.
Service Account: As an Administrator you can grant domain wide delegation to a service account and that service account issues calls impersonating the user, in this case your own account as that's what your goal is. This is an extremely privileged call given that the users don't explicitly need to authenticate themselves. When you use this authorization method you need to allow it on your Admin console.

Following any of the two methods above should allow you to use Keep API without running to the Invalid Scope error message.

You can do so as an Admin by authorizing scopes from an app or through a service account as I detailed, you will need to build up a small app to perform the authorization, using a service account would be most useful so I would recommend to doing it that way. — Gabriel Carballo, Dec 15 '21 at 21:10
I checked there is no way to by pass the scope or preapprove them. — Pankaj, Dec 16 '21 at 00:11

Google keep api responds with invalid scope when using documented scopes

2 Answers2

workspace

Linked