4

Does Directory API support authentication with OAUth2 Service Accounts flow?

I tested the serviceAccount.php google-php-api-client example using the scopes https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user and it didn't work.

luissquall
  • 1,740
  • 19
  • 14
  • Can you tell us what are the exact errors you get? Access not configured? or Access denied? – Emily Jun 06 '13 at 00:21
  • I'm doing something like this: https://gist.github.com/luissquall/5732977. Client id, service account name, key file and services work fine with Prediction API. I get error "Not Authorized to access this resource/api". The account I used to create the API project have admin permissions over the Google Apps domain and the Admin SDK service is on. – luissquall Jun 07 '13 at 23:25
  • Hey Luissquall, would you try adding the parameter ?key=[your API access key in API console] in your HTTP request and see if it works? – Emily Jun 11 '13 at 02:57
  • Additionally, have you tried downloading the PHP client library for Admin sdk (https://developers.google.com/resources/api-libraries/download/admin/directory_v1/php) <- the link in the documentation isn't working at the moment, but you can use this temporary link to download it for now. – Emily Jun 11 '13 at 03:15
  • The link is broken. I got an 404 error. – luissquall Jun 11 '13 at 03:21
  • Adding key param didn't work. Requests to Drive API using the same service account client ID worked fine but not for Admin SDK. – luissquall Jun 11 '13 at 03:32
  • Does the account you use have super admin access? I don't think delegated admin works... – Emily Jun 11 '13 at 16:30
  • Yes. 3-legged OAuth works using that account. – luissquall Jun 11 '13 at 16:46
  • I think something is missing here. setAssertionCredentials(new Google_AssertionCredentials( SERVICE_ACCOUNT_NAME, array( 'https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.group' ), $key) in order for my service account to work, I have an extra parameter of which actual user account I am impersonating. Can you add sub 'the admin account email address' in the setAssertionCredentials function (https://code.google.com/p/google-api-php-client/source/browse/trunk/src/auth/Google_AssertionCredentials.php) – Emily Jun 11 '13 at 17:01
  • I have mine in python and should look like this... credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/admin.directory.user', sub='admin@mydomain.com') – Emily Jun 11 '13 at 17:03
  • That was it! Thank you very much for your help. I was following the Prediction API example, Drive API example includes that setting. Have a nice day. – luissquall Jun 11 '13 at 17:34
  • :) yay! glad to hear that! – Emily Jun 11 '13 at 22:59
  • Awesome! Emily's directions helped me a lot. In the **JAVA** case: `GoogleCredential.setServiceAccountUser()` -- for impersonating; Also, check out that you have granted the right scopes to your service account as described here: [link](https://developers.google.com/drive/delegation#delegate_domain-wide_authority_to_your_service_account) – averasko Dec 14 '13 at 22:09

2 Answers2

1

You need to authorize the service account client ID to access the given API scopes in the Google Apps Control Panel. See the step as described in the Drive API docs, just sub in your Admin SDK scopes.

Note that IMHO, there's very little advantage to using a Service Account with Directory/Reporting APIs as you still need to impersonate a user who has super admin (or proper delegated admin) roles in order to perform and API calls. To me it makes just as much sense to just get a 3-legged OAuth 2.0 refresh token which supports offline from the admin. 3-legged can be done entirely programmatically where-as Service Accounts require the manual step above.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • Works perfectly for Drive API but not for Admin SDK API. Have you made requests to any of these endpoints (group/user) with a service account client ID? Here's the test https://gist.github.com/luissquall/5752799 and the scopes http://f.cl.ly/items/3m3f341A0x2F050D1O0u/Screen%20Shot%202013-06-10%20at%204.47.07%20PM.png – luissquall Jun 10 '13 at 22:00
0

Short answer: Yes. @emilylam question comments hint the error.

luissquall
  • 1,740
  • 19
  • 14