0

I am trying to use the admin SDK using the java client. My requirement is for a server side application to manage the users without the explicit consent of the end user. I have followd the following steps.

I have create a service account is the Google API console. Added the service account to the third party oauth access section the Google Apps admin console Added the scopes for user, user.readonly for the same. Created a super admin to be used as the service account user I am using the java client as follows: The same action is working in the api explorer using the service email to authenticate

        HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
        JsonFactory JSON_FACTORY = new JacksonFactory();
        GoogleCredential credential=null;
        try {

             credential = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
                    .setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId("xxx@developer.gserviceaccount.com")
                    .setServiceAccountScopes(DirectoryScopes.all())
                    .setServiceAccountPrivateKeyFromP12File(new File("/Users/xxx/Downloads/file-privatekey.p12"))
                    .setServiceAccountUser("xx@subdomain.domain.com")    //Super admin account
                    .build();
        } catch (GeneralSecurityException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }

        Directory directory = new Directory.Builder(HTTP_TRANSPORT,JSON_FACTORY,credential).setApplicationName("Sync Service").build();

        try {
            Directory.Users.List list = directory.users().list();
            list.setDomain("subdomain.domain.com");
            //list.setCustomer("xxx");
            Users users = list.execute();
        } catch (IOException e) {
            e.printStackTrace();
        }

I am getting the following error. Not sure why!

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
  "error" : "access_denied"
}
    at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
    at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
    at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
    at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
    at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
    at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:858)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
    at GappsClient.main(GappsClient.java:53)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

Process finished with exit code 0
user1076371
  • 161
  • 6

2 Answers2

1

Have you add the client ID of your service account to Manage Third Party OAuth Access in your Cpanel?

Emily
  • 1,464
  • 1
  • 9
  • 12
  • Yes. I have added the client id which is of the form xxxxx.apps.googleusercontent.com. I have added the following scoped to it. https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.readonly – user1076371 Oct 04 '13 at 09:34
  • Did you create the service account in API console using your super admin account? I think the service account inherited the rights of the super admin if the project is created using the super admin account. – Emily Oct 08 '13 at 17:31
  • Oh is it so? The service account was created using a different domain. The application I am working on is a multitenant app which is supposed to work on multiple domains unrelated to each other. In that case I won't be able to create multiple service accounts for each domain I am selling to. I thought the way it works is, once someone wants to use this app, the superadmin of that domain will go and add the service account we give in the 3rd party oauth access page of their domain. – user1076371 Oct 10 '13 at 05:14
  • Hey I take it back. I just did some testing, and it doesn't matter what accounts you used to create the service accounts. As long as the clientID is added to the Manage API client access page, it should work. Can you try to change the scope to this DirectoryScopes.ADMIN_DIRECTORY_USER? Additionally, I found a very similar thread that might give you some more insight as well http://stackoverflow.com/questions/18375978/google-directory-api-return-access-denied-when-call-groups-list-execute – Emily Oct 11 '13 at 21:50
0

I followed @Emily Lam answer and formed service account using old Google API console and i was able to get the expected result. Please let me know if anybody needs detailed steps i followed. Follow OAuth 2.0 client IDs part from below URL https://developers.google.com/console/help/#creatingdeletingprojects

Mithun Todakar
  • 1
  • 1
  • Could you provide the detailed steps? I am facing the same problem and still haven't been able to figure out the solution.... – Sardonic Jul 05 '16 at 18:37