1

I'm having trouble calling Googles new Directory API. I'm getting http forbidden "Not Authorized to access this resource/api" all the time.

I'm using oauth2 and a service account to access the directory api. The oauth ticket is requested for the following scopes:

"https://www.googleapis.com/auth/admin.directory.user" 
"https://www.googleapis.com/auth/admin.directory.group"
"https://www.googleapis.com/auth/admin.directory.orgunit"

The service account is owner of the Api project and the Admin SDK service is enabled. If I don't provide a Principal in the oauth request I get an oauth token but the request to the admin api fails.

If I provide a principal in the request for the oauth ticket the ticket will not be granted even if the principal is an administrator.

Do I have to give the service account additional privilegies to make it work or is there something I have missed. The same service account works fine for the calendar API.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Tor Jonsson
  • 43
  • 2
  • 5
  • Have you added the client ID of the service account under Manage third party OAuth Access? (the step is captured here: https://developers.google.com/drive/delegation#delegate_domain-wide_authority_to_your_service_account) – Emily Jun 06 '13 at 00:19
  • I am trying to achieve the said. Kindly provide more details on approach. [My problem is listed here](http://stackoverflow.com/questions/22172909/using-google-directory-api-to-fetch-all-users-in-a-domain) @Tor Jonsson – yomexzo Mar 04 '14 at 19:08

1 Answers1

1

Have you assigned the ServiceAccountUser when initializing the authentication? I was having the same error before I set it to a domain manager account.

See this one.

Community
  • 1
  • 1
zhywu
  • 1,012
  • 1
  • 12
  • 26
  • Thanks for your help! It turned out that the authentication request failed because I also requested the https://www.googleapis.com/auth/admin.directory.user.readonly scope. Which was pointless. When I removed that scope everything works fine. – Tor Jonsson Jun 12 '13 at 14:33