All geek questions in one place

Is it possible to access the Provisioning API with a service account?

My service account areas are: https://apps-apis.google.com/a/feeds/user/ and DriveScope.DRIVE

I enabled the same scope in the "Third-Party OAuth Client Access Control" section in the domain settings for my service account ID.

I am using java client to initialize api.

I create my credentials with google oauth client using GoogleCredential.Builder :

 credBuilder.setTransport(HTTP_TRANSPORT) .setJsonFactory(JSON_FACTORY) .setServiceAccountId(config.serviceAccountId) .setServiceAccountPrivateKeyFromP12File(new File(config.keyFilePath)) .setServiceAccountScopes(SCOPES); .setServiceAccountUser(" admin.of.my@domain.com ")

I am trying to resolve my api initialization request with

 userService = new UserService(config.repositoryId); userService.setOAuth2Credentials(oAuthCredentials);

where oAuthCredentials are my previously created service credentials.

With this configuration, I can access files and collections from Google Drive for any user in my domain. But I can’t get a list of users of my domain with these credentials.

If I do not specify the user of the service account, it does not work either

Here is the stack trace I get:

 com.google.gdata.util.ServiceForbiddenException: You are not authorized to access this API. <HTML> <HEAD> <TITLE>You are not authorized to access this API.</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <H1>You are not authorized to access this API.</H1> <H2>Error 403</H2> </BODY> </HTML> at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:605) at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:564) at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560) at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538) at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536) at com.google.gdata.client.Service.getFeed(Service.java:1135) at com.google.gdata.client.Service.getFeed(Service.java:998) at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645) at com.google.gdata.client.Service.getFeed(Service.java:1017) at com.google.gdata.client.appsforyourdomain.AppsForYourDomainService.getFeed(AppsForYourDomainService.java:137) at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:125) at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:1) at foo.bar.baz.eci.gdrive.service.backoff.BackoffRequest.execute(BackoffRequest.java:50) at foo.bar.baz.eci.gdrive.service.BaseService.getFeedWithBackoff(BaseService.java:129) at foo.bar.baz.eci.gdrive.service.BaseService.retrieveAllEntries(BaseService.java:90) at foo.bar.baz.eci.gdrive.service.GappsUserService.getAllUserFeed(GappsUserService.java:57) at foo.bar.baz.eci.gdrive.GdriveContentProviderFactory.doDiscover(GdriveContentProviderFactory.java:67) ... 19 more

And the entry from the lib client:

 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader PLUS FIN: Authorization: <Not Logged> 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader PLUS FIN: Authorization: <Not Logged> 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader PLUS FIN: Authorization: <Not Logged> 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: Accept-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: Accept-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: Accept-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: GData-Version: 1.0 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: GData-Version: 1.0 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader PLUS FIN: GData-Version: 1.0 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute FIN: 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute FIN: 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute FIN: 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Encoding: gzip 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Length: 151 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Length: 151 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Length: 151 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-XSS-Protection: 1; mode=block 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-XSS-Protection: 1; mode=block 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-XSS-Protection: 1; mode=block 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Frame-Options: SAMEORIGIN 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Frame-Options: SAMEORIGIN 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Frame-Options: SAMEORIGIN 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Type: text/html; charset=UTF-8 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Type: text/html; charset=UTF-8 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Content-Type: text/html; charset=UTF-8 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Server: GSE 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Server: GSE 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Server: GSE 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Content-Type-Options: nosniff 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Content-Type-Options: nosniff 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: X-Content-Type-Options: nosniff 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Cache-Control: private, max-age=0 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Cache-Control: private, max-age=0 21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute PLUS FIN: Cache-Control: private, max-age=0
+4
source share
2 answers

After investigation, it seems that getting 403 error occurs if the account set in .setServiceAccountUser(" admin.of.my@domain.com ") is not a "super administrator" of the domain.

However, in the case above, " admin.of.my@domain.com " is indeed a super-domain administrator. Also, the code works well with any other domain administrator who believes that something is wrong with the " admin.of.my@domain.com " account in particular.

If this happens to anyone else - for example, with an account set up as a β€œSuper Admin” that does not work to access Admins APIs only through service accounts - make sure you let us know in the comments below , and we will further investigate if this affects a lot of people.

+1
source

Development APIs are now deprecated since May 15, 2013. They have introduced a new set of APIs called directory APIs that solves your problem.

0
source

Source: https://habr.com/ru/post/1440539/

More articles:


All Articles