I wanted to access some google api services:
- GDrive API
- Contact API
- User API
And Iām struggling with the oauth2 service account flow (you know that one: Google Oauth v2 is the description of the service account . For improvisation, you need to use "domain delegation of authority in the domain" in the Google Apps console, download the pk12 file matching file and activate api in the Google console project.
At the moment, I always get:
com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105) at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287) at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307) at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:384) at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489) at oauthsample.GDriveAPI.<init>(GDriveAPI.java:50) at oauthsample.GDriveAPI.main(GDriveAPI.java:85)
Here is my code:
HttpTransport httpTransport = new NetHttpTransport(); JacksonFactory jsonFactory = new JacksonFactory(); Set<String> scopes = new HashSet<String>(); scopes.add("https://www.google.com/m8/feeds"); GoogleCredential credential = new GoogleCredential.Builder() .setTransport(httpTransport) .setJsonFactory(JSON_FACTORY) .setServiceAccountId(" myserviceuser@xxxxxx.iam.account.com ") .setServiceAccountPrivateKeyFromP12File(new File("somep12key.p12")) .setServiceAccountScopes(scopes) .setServiceAccountUser(" my_user_name@gmail.com ") .build(); credential.refreshToken(); ContactsService service = new ContactsService("MYAPP"); service.getRequestFactory().setHeader("User-Agent", "MYAPP"); service.setHeader("GData-Version", "3.0"); service.setOAuth2Credentials(credential); URL feedUrl = new URL("https://www.google.com/m8/feeds/contacts/default/full"); ContactFeed resultFeed = service.getFeed(feedUrl, ContactFeed.class);
I was also greatly distorted through stackoverflow (I cannot list all the links and check the answers and solutions). But one question was never answered clearly - neither in googles documentaiont, nor on all stackoverflow columns:
- Are you really able to impersonate an account with a regular user user@gmail.com (I mean a regular gmail account without access to the specified administrator console in the chapter "Delegating domain permissions to the entire account service", and you have your own domain )
Some say yes, some say no. So what is the absolute truth?
As far as I understand when reading google documents: a service account can impersonate users only when you are responsible for your own domain and you need to have a google account with a registered domain. You can then access the admin console and provide access to the service account.
Thank you for your patience and for your time to respond.
Regards Matt
source share