Google keep api responds with invalid scope when using documented scopes

Question

Above the issue

I am trying to fetch access token to read data from my own google account using vb.net window forms application . Am I missing anything?

Why should it open web browser for authorization? I just need to access my own data only.

Window form Code

Private Async Sub GetToken()
    Dim scopes As New List(Of String)
    scopes.Add(KeepService.Scope.Keep)

    Dim stream = New FileStream("file path.json", FileMode.Open)
    Dim _userCredentials As UserCredential = 
        Await Google.Apis.Auth.OAuth2.GoogleWebAuthorizationBroker.AuthorizeAsync(
        GoogleClientSecrets.Load(stream).Secrets, scopes, "user", System.Threading.CancellationToken.None)
End Sub

Error Details

Authorization Error Error 400: invalid_scope Some requested scopes cannot be shown: [https://www.googleapis.com/auth/keep]

Answer 1

If we check the documentation for Notes.list method you will notice that it states that you need to use one of the following scopes

I have tested it with the following C# code

 var credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(GoogleClientSecrets.FromFile(clientSecretJson).Secrets,
                new []{KeepService.ScopeConstants.KeepReadonly, KeepService.ScopeConstants.Keep},
                "userName",
                CancellationToken.None,
                new FileDataStore("credPath", true));
            
            
            var service = new KeepService(new BaseClientService.Initializer()
            {
                HttpClientInitializer = credential,
                ApplicationName = "Google Keep Oauth2 Authentication Sample"
            });

            var notes = await service.Notes.List().ExecuteAsync();

In both instances I get the following error message

As you can see from the error message this the library is passing the proper scope as documented. Its the Google keep api itself that is refusing the scope.

In my opinion this is a bug in the api and i have posted an issue on the issue tracker 210500028

Update 16-12-2021: google has verified this bug and are now investigating internally.

workspace

There is a note on this api. It appears that it may only work with Workspace domain accounts. I did test it with a normal Gmail account as well as with a Workspace domain account. The results were the same.

This API is an enterprise-only API used to create and manage the Keep notes within your domain, including resolving issues identified by CASB software.

Answer 2

I have provided support to issues with Keep API before as Admin's have regularly issues with this API.

Currently the Keep API uses: .../auth/keep and .../auth/keep.readonly scopes for OAuth. These scopes are not allowed on the consent screen. An application that requires Keep scopes can be authenticated if you as a Domain administrator pre approve the scope[s] for the application or by using a service account:

• Admin approval: You can authorize it by being a Super Administrator as Keep is an Enterprise only API. If it is a Marketplace app you can authorize it by allowlisting the client Id for Keep Scopes from the Admin console for your domain.
• Service Account: As an Administrator you can grant domain wide delegation to a service account and that service account issues calls impersonating the user, in this case your own account as that's what your goal is. This is an extremely privileged call given that the users don't explicitly need to authenticate themselves. When you use this authorization method you need to allow it on your Admin console.

Following any of the two methods above should allow you to use Keep API without running to the Invalid Scope error message.