Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested

[Planks]

Hi guys

I'm the creator/superadmin/superuser/owner of a google workspace domain. About six months ago I installed this project and successfully used it to batch remove particular users who had files shared to them.

I'm trying to use it again today and am having problems. No problems regenerating the the database with audit, however I'm getting the following problem when using unshare (stuff that looks like tokens replaced by x)

panic: error deleting permission: Delete "https://www.googleapis.com/drive/v3/files/xxxxxxxxxxxxxxxxxxxxxxx-IU/permissions/xxxxxxxxxxxxxxxxxxxxxx?alt=json&prettyPrint=false&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

I've not changed anything since I last used this project - is it possible there's been a breaking change on google's end that means there needs to be an update, or a new scope missing from one of the admin consoles?

Thanks in advance

[jgimenez]

You probably need https://www.googleapis.com/auth/drive or https://www.googleapis.com/auth/admin.directory.user scopes (or both).

[Planks]

Hey, thanks for the pointer. I added admin.directory.user (README.md only specifies admin.directory.user.readonly) so I now have four scopes

I also rebuilt credentials.json using a new key in case there'd been a breaking change there. Unfortunately the same error persists. Sometimes upon running the application two or three files do appear to have the permissions successfully revoked (see below) before the loop fails.

Assuming this is a file-specific failure rather than an actual scope failure, it'd be nice to be able to gracefully log the failure and advance onto the next file

XXXX@AndyLap:~/google-drive-audit# ./google-drive-audit unshare --domain XXXX.com --admin-email [email protected] --user [email protected]
2024/01/17 10:08:54 Delete permission: (id=XXXX permission-id=XXXX), owner=XXXX
2024/01/17 10:08:55 Delete permission: (id=XXXX permission-id=XXXX), owner=XXXX
Error: error deleting permission: Delete "https://www.googleapis.com/drive/v3/files/XXXX/permissions/XXXX?alt=json&prettyPrint=false&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

[Planks]

Just to follow up on this. I tried removing the two .readonly scopes in case they over-ride the non-readonly versions and saw no effect. So I believe there may have been a breaking change made on the google side requiring new or different permissions to run the same "remove permission" operations as before.