Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google Directory API: 403 when retrieving user information with service account

This is likely related to Google Directory API returns 403 for user_list with showDeleted=true but I am unfortunately unable to comment yet, and I don't have an answer to offer.

I received a service account from a school's G Suite with the permission

https://www.googleapis.com/auth/admin.directory.user.readonly

The G Suite admin indicated he has delegated domain-wide authority to the account, and I'm able to create the service account JWT and retrieve the access token to call the APIs using the HTTP/REST flow. However, when I call the user get endpoint to request information about an account -

https://www.googleapis.com/admin/directory/v1/users/redacted%40redacted.com?projection=full

I receive the following:

The remote server returned an error: (403) Forbidden.
{
  "error": {
    "errors": [
      {
        "domain": "global",
        "reason": "forbidden",
        "message": "Not Authorized to access this resource/api"
      }
    ],
    "code": 403,
    "message": "Not Authorized to access this resource/api"
  }
}

I don't have access to their G Suite admin panel so I'm unable to poke around myself, but the admin has confirmed that our client has access to the admin.directory.user.readonly permission everywhere he can find, and we are in a role that has domain-wide access, as noted above. I'm open to suggestions for places the admin might be missing an assigned permission, or anything I might be missing in my approach (though the JWT build/sign and access token retrieval appear to be working as expected). If there's any other useful information I can provide please let me know and I'll update.

UPDATE: The permissions on the account appear to be correct - I was able to retrieve information from users/get in the API Explorer. However, the API Explorer is using the URL

https://www.googleapis.com/admin/directory/v1/users/redacted%40redacted.com?projection=full&key={YOUR_API_KEY}

and I can't find any documentation on the key parameter, either in the Service Account or users/get documentation. I'm including the access_token as a Bearer token in the authentication header as defined in the specs, and when I tried sending it as the key querystring parameter I still received the same 403 error documented above. There's a similar question on Stack (Google API Client users().get(userKey='[email protected]') returns Not Authorized to access this resource/api) with no answer.

like image 754
Matt Wester Avatar asked Oct 04 '17 16:10

Matt Wester


1 Answers

Haven't played around with Admin SDK but I recommend checking Perform G Suite Domain-Wide Delegation of Authority as it focuses on use of service account.

Delegate domain-wide authority to your service account

The service account that you created needs to be granted access to the G Suite domain’s user data that you want to access. The following tasks have to be performed by an administrator of the G Suite domain:

  1. Go to your G Suite domain’s Admin console.
  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
  3. Select Advanced settings from the list of options.
  4. Select Manage API client access in the Authentication section.
  5. In the Client name field enter the service account's Client ID.
  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to Users and Groups enter: https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
  7. Click the Authorize button.

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. You are ready to instantiate an authorized Admin SDK Directory service object on behalf of your G Suite domain's users.

like image 107
noogui Avatar answered Nov 11 '22 05:11

noogui