1

Most of the Google Management APIs seem to have been enabled for Service Accounts. For example, I can retrieve calendars like so:

string scope = Google.Apis.Calendar.v3.CalendarService.Scopes.Calendar.ToString().ToLower();
string scope_url = "https://www.googleapis.com/auth/" + scope;
string client_id = "999...@developer.gserviceaccount.com";
string key_file = @"\path\to\my-privatekey.p12";
string key_pass = "notasecret";

AuthorizationServerDescription desc = GoogleAuthenticationServer.Description;
X509Certificate2 key = new X509Certificate2(key_file, key_pass, X509KeyStorageFlags.Exportable);

AssertionFlowClient client = new AssertionFlowClient(desc, key) { ServiceAccountId = client_id, Scope = scope_url };
OAuth2Authenticator<AssertionFlowClient> auth = new OAuth2Authenticator<AssertionFlowClient>(client, AssertionFlowClient.GetState);

CalendarService service = new CalendarService(auth);
var x = service.Calendars.Get("calendarID@mydomain.com").Fetch();

However, identical code on the GroupssettingsService returns a 503 - Server Not Available. Does that mean service accounts can't be used with that API?

In a possibly related issue, the scope of the Groups Settings Service seems to be apps.groups.settings but if you call

GroupssettingsService.Scopes.AppsGroupsSettings.ToString().ToLower();

...you get appsgroupssettings instead, without the embedded periods.

Is there another method to use service accounts for the GroupssettingsService? Or any information on the correct scope string?

Many thanks.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
Graham Charles
  • 9,394
  • 3
  • 26
  • 41

2 Answers2

1

Why do you need to use a service account for this? You can use regular OAuth 2.0 authorization flows to get an authorization token from a Google Apps super admin user and use that:

https://developers.google.com/accounts/docs/OAuth2InstalledApp

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • 3
    Well, for the same reason you'd ever want a service account -- to allow a trusted backend application to make updates using stored credentials elevated past the user's level. In this case, some non-superusers can define e-mail groups; the app uses the GData Groups API to create and populate the group. Ideally, it would use the Groupssettings API to make certain policy settings (moderation, for example) that I don't want the users to be able to turn off. – Graham Charles Dec 11 '12 at 07:02
  • You can simply create a real Google Apps user for to be used as a service account alone. That of course means $50/year but that shouldn't be to bad considering. The user needs to be a super admin but the OAuth2 token would only be scoped to the Groups Settings API so access is minimal. – Jay Lee Dec 11 '12 at 13:07
  • Free for us (Education), but that would still entail a 3-legged authorization. Unless I'm mistaken (and I'd be happy to be), "service accounts" are how the new Google Apps APIs accommodate 2-legged authorization. So I wrote 2LO access code, but this particular API (Groupssettings) seems to filter those requests out. – Graham Charles Dec 12 '12 at 06:45
  • Yes, it would be 3-legged OAuth but you'd just need to perform the Authentication once for the service account (which you control). Then your access token is good until manually revoked. 3-legged OAuth is how GAM authenticates and uses the Group Settings API (although it uses OAuth 1.0, working on an upgrade to 2.0) http://code.google.com/p/google-apps-manager/wiki/GroupSettingsExamples – Jay Lee Dec 12 '12 at 14:34
  • Hm. I didn't realize that was a valid flow; I would have expected the tokens to expire as usual. Well, I'll have a go. Thanks. – Graham Charles Dec 19 '12 at 23:20
  • The access token expires. The refresh token never expires though unless you explicitly revoke it. If you use the Google libraries you shouldn't even need to deal with refreshing the access token. – Jay Lee Dec 20 '12 at 03:13
1

I found this thread, and the most important part of the docs after some time. Posting so others don't waste their time in the future.

Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.

See the "About authorization protocols" section of the docs

snakesNbronies
  • 3,619
  • 9
  • 44
  • 73