0

I'm trying to authorize with google admin api and list mailing list users. I downloaded a key from api console and did:

require 'google/api_client'
client= Google::APIClient.new(application_name: "myapp", application_version: "0.1")
groups= client.discovered_api('admin', 'directory_v1')
key = Google::APIClient::PKCS12.load_key(Dir['*.p12'].first, 'notasecret')

client.authorization = Signet::OAuth2::Client.new(
  token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
  audience: 'https://accounts.google.com/o/oauth2/token',
  scope: 'https://www.googleapis.com/auth/admin.directory.group.readonly',
  issuer: '123asdf@developer.gserviceaccount.com',
  signing_key: key)
client.authorization.fetch_access_token!

puts client.execute(api_method: groups.users.list, parameters: {}).body

I tried adding groupKey: "mygroup@googlegroups.com" I tried setting domain: "mysite.com" It always results in "insufficient permission"

What more do I have to do to to list users in a group?

nurettin
  • 11,090
  • 5
  • 65
  • 85

2 Answers2

2

Try something like:

require 'google/api_client'

## Email of the Service Account #
SERVICE_ACCOUNT_EMAIL = '<some-id>@developer.gserviceaccount.com'

## Email account of the Admin User ##
ADMIN_EMAIL = 'your-google-admin@yourdomain.com'

## Path to the Service Account's Private Key file #
SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/path/to/<public_key_fingerprint>-privatekey.p12'

##
# Build an Admin SDK client instance authorized with the service account
# that acts on behalf of the given user.
#
# @param [String] user_email
#   The email of the user.
# @return [Google::APIClient]
#   Client instance
def build_client(user_email)
    key = Google::APIClient::PKCS12.load_key(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'notasecret')
    asserter = Google::APIClient::JWTAsserter.new(SERVICE_ACCOUNT_EMAIL,
        'https://www.googleapis.com/auth/admin.directory.group.readonly', key)
    client = Google::APIClient.new
    client.authorization = asserter.authorize(ADMIN_EMAIL)
    client
end

this is roughly adapted from the Google Drive Domain-Wide authorization document. When using Service Accounts with the Admin SDK Directory API, you still need to impersonate an admin user.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • I set ADMIN_EMAIL to the email I use to control the api console. The result was: ``fetch_access_token': Authorization failed. Server message: (Signet::AuthorizationError) { "error" : "invalid_grant" }` – nurettin Jul 19 '13 at 13:44
  • I only have Admin SDK and Group Settings enabled. (this is free tier) – nurettin Jul 19 '13 at 13:54
  • This probably will not work with Google Apps Standard/Free accounts. – Jay Lee Jul 22 '13 at 14:33
1

I've had the same problems. I've wrote an example gist which explains how to set it up:

https://gist.github.com/thomaswitt/7468182

Steps are:

  1. Go to Google Cloud Console (https://cloud.google.com/console)
  2. Create Service Account with P12 File
  3. Enable the Admin SDK in APIs.
  4. Create a Project
  5. Create a registered app within this project
  6. Go to section 'Certificate' and generate a key
  7. Download the JSON file as well
  8. Go to the Apps Console > Security > Extended > 3rdPartgy OAuth (https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
  9. Add an API Client. Client name is value of client_id in the JSON file, API Scope is https://www.googleapis.com/auth/admin.directory.user.readonly
Thomas Witt
  • 2,559
  • 2
  • 12
  • 5