Receiving Insufficient Permission error from DirectoryService

Question

I am trying to setup c# code to manage our Google domain.

I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.

Google.Apis.Requests.RequestError

Insufficient Permission [403]

Errors [

    Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]

]

I followed all the instructions on the OAuth setup. The account I am using is a domain admin.

The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.

Below is my code for querying users, is there anything I am missing?

        static void Main(string[] args)
    {
        var applicationName = "App Project Name";
        var userName = "[email protected]";
        var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com";

        UserCredential credential;

        using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read))
        {
            credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
                GoogleClientSecrets.Load(stream).Secrets,
                new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
                userName,
                CancellationToken.None, null).Result;
        }

        var service = new DirectoryService(new BaseClientService.Initializer() 
            { 
                ApplicationName = applicationName, 
                HttpClientInitializer = credential 
            });

        var list = service.Users.List();

        var users = list.Execute();
    }
}

Answer 1

2 options:

1. You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
2. Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.

Please update this thread if one of these options worked or something else is still missing for you.

Answer 2

Scopes

It appears that you are trying this Quickstart:

• .NET Quickstart for Directory API

However, the scope(s) used in that tuturoial are:

new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };

However, in the code your posted code you have:

new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },

Tokens

After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)

\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user

Enable APIs

Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)

Enable Directory API

Enable Gmail API