GoogleAPIs.com now needs an additional API key when using basic auth
gurnec opened this issue · 5 comments
I presume OAuth is unaffected (?)
GoogleAPIs.com has changed in behavior versus a day or two ago. HTTP basic authentication still works, however an API key is now also required. For example, this no longer works:
$ curl -X PROPFIND -u username https://www.googleapis.com/.well-known/carddav
Enter host password for user 'username':
{
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
Even though authentication is succeeding as can be shown by using an invalid password:
{
"error": {
"code": 401,
"message": "Invalid Credentials",
"status": "UNAUTHENTICATED"
}
}
To fix this it's necessary to enable the CardDAV API at https://console.cloud.google.com/apis/library (select or create a new project first), then create a new API key at https://console.cloud.google.com/apis/credentials. Optionally you can limit that API key to only the CardDAV API.
Based on my not-at-all-exhaustive testing*, it appears necessary (and sufficient) to include this API key as a query parameter for all requests, e.g. this now works:
$ curl -X PROPFIND -u username -D - https://www.googleapis.com/.well-known/carddav?key=the-api-key
Enter host password for user 'username':
HTTP/2 301
content-type: text/plain; charset=UTF-8
expires: Mon, 01 Jan 1990 00:00:00 GMT
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
x-content-type-options: nosniff
location: /carddav/v1/principals/username@gmail.com/lists/default/
x-frame-options: SAMEORIGIN
pragma: no-cache
vary: Origin
vary: X-Origin
vary: Referer
date: Thu, 08 Jun 2023 20:58:55 GMT
server: ESF
content-length: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
(note the expected location header)
This also works, but again only if the API key is included:
curl -X PROPFIND -u username --header ... --data-binary ... 'https://www.googleapis.com/carddav/v1/principals/username@gmail.com/lists/default/?key=the-api-key'
Enter host password for user 'username':
<?xml version="1.0" encoding="UTF-8"?>
<d:multistatus xmlns:cal="urn:ietf:params:xml:ns:caldav" xmlns:card="urn:ietf:params:xml:ns:carddav" xmlns:cs="http://calendarserver.org/ns/" xmlns:d="DAV:" xmlns:ical="http://apple.com/ns/ical/">
<d:response>
...
etc.
I'm not sure where to go from here, I'm not even sure if this is an intentional change, a permanent change, or what....
related: mstilkerich/carddavclient#24
edit:
* For my "not-at-all-exhaustive testing" all I did was add something like this to the top of HttpClientAdapterGuzzle::sendRequest():
$uri .= "?key=the-api-key";and then did some basic testing (add new contact, modified existing contact, resyned, etc.) and everything seemed to work fine (was visible via my Google account).
Hi, yes OAuth2 authentication is still working and per the documentation it is the only accepted authentication mechanism for thd Carddav API. I think it has been officially for a while, though basic auth continued to work. Therefore I am also not sure if the API key authentication is intended to work for this API.
Looks like Google fixed it, Basic auth works again (without API key).
Hi, google again change API? I have issue last few days with sync contacts :-/
bohumir@MP14 revisio % curl -X PROPFIND -u username -D - https://www.googleapis.com/.well-known/carddav?key=xxx
zsh: no matches found: https://www.googleapis.com/.well-known/carddav?key=xxx
Yes looks like they disabled basic auth. OAuth still works fine.
See also #451
Just an FYI for anyone subscribed to this issue— Google's CardDAV endpoint has started working again with basic auth, who knows for how long though.