I have created credentials on google developer console:
- one API key and assigned blogspot API to the key
- one oauth client (consent screen configured)
The oauth client is in test mode (not verified yet), but added some test emails.
I could successfully retrieve an access token with authorization code grant flow, using an authorization url that looks like this (client id, redirect_uri changed):
https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=1234&redirect_uri=https%3A%2F%example.com%3A4430%2Fauth%2Fgoogle%2Fcallback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fblogger&state=abcd1234&prompt=consent
Most importantly:
- scopes = https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/blogger
- prompt=consent
I get this from the token endpoint:
{
"access_token": "***",
"refresh_token": "****",
"expires_in": 3108,
"scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/blogger openid",
"token_type": "Bearer",
"id_token": "***"
}
It seems that the blogger scope is assigned to the token.
Next, I try to POST to https://www.googleapis.com/blogger/v3/blogs//posts?key=<MY_APPLICATION_KEY> as it is documented here https://developers.google.com/blogger/docs/3.0/using#AddingAPost and I get this response:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"errors": [
{
"message": "The caller does not have permission",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
Most importantly:
- the MY_APPLICATION_KEY matches my test application’s key
- BLOGID belongs to a blog that is owned by the authenticated user
- the same authenticated user owns the (test) application
- the same authenticated user’s email address is added as a test user to the application
- the blogspot api was enable on the application key
What am I missing?
Also, it is not clear to me who “the caller” is. Is it the application, or is it the authorized user? Or both? Anyway, if I try the same call without the key parameter then I get a different error:
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"errors": [
{
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}