0

I started with some sample code for App Engine from Google.

My app needs to use the Directory API and the Reports API from the Google Admin SDK.

I have created a project in the API Console and turned on the Admin SDK in Services.

I added the scopes (the same ones as used in the code below) to the "Manage API client access" section of Advanced Tools in my domain's Google cpanel.

The call to the Directory API works.

After that, the call to the Reports API fails with the error message:

"HttpError: https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?alt=json returned "Insufficient Permission">"

Thanks much for the assistance.

import webapp2
import os
from apiclient.discovery import build
from oauth2client.appengine import OAuth2Decorator
from oauth2client.appengine import OAuth2DecoratorFromClientSecrets
from apiclient import errors
import logging
import json

decorator = OAuth2DecoratorFromClientSecrets(
  os.path.join(os.path.dirname(__file__), 'client_secrets.json'),
  'https://www.googleapis.com/auth/admin.directory.user.readonly')

directoryauthdecorator = OAuth2Decorator(
    client_id='123.apps.googleusercontent.com',
    client_secret='456-abc',
    callback_path='/oauth2callback',
    scope='https://www.googleapis.com/auth/admin.directory.user.readonly '
          'https://www.googleapis.com/auth/admin.reports.audit.readonly '
          'https://www.googleapis.com/auth/admin.reports.usage.readonly'
)

class MainHandler(webapp2.RequestHandler):
    def get(self):
        self.response.write('Hello world!')

class OAuthHandler(webapp2.RequestHandler):
    @directoryauthdecorator.oauth_required
    def get(self):
        users = []

        # Get the authorized Http object created by the decorator.
        auth_http = directoryauthdecorator.http()

        # Get the directory service
        service = build("admin", "directory_v1", http=auth_http)

        result = []
        page_token = None
        while True:
            try:
                param = {}
                param['domain'] = 'mydomain.com'
                if page_token:
                    param['pageToken'] = page_token

                files = service.users().list(**param).execute()
                result.extend(files['users'])
                page_token = files.get('nextPageToken')
                if not page_token:
                    break
            except errors.HttpError, error:
                print 'An error occurred: %s' % error
                break


        users = []
        for user in result:
            logging.info(user['primaryEmail'])
            users.append(user['primaryEmail'])

        param = {}
        param['userKey'] = 'all'
        param['applicationName'] = 'admin'

        service = build('admin', 'reports_v1', http=auth_http)

        # this call fails with the 403 Insufficient Permissions error
        results = service.activities().list(**param).execute()
        logging.info(results)

app = webapp2.WSGIApplication([
    ('/', MainHandler),
    ('/users', OAuthHandler),
    (directoryauthdecorator.callback_path, directoryauthdecorator.callback_handler()),
], debug=True)
hayseed
  • 51
  • 8
  • 1
    A tip. Try to use the oauth playground (https://developers.google.com/oauthplayground/) to perform your desired tasks manually. Note the http requests. Now log the http requests from your app and play spot-the-difference. – pinoyyid Oct 17 '13 at 03:57

1 Answers1

0

I read this post and cleared the credentials from the datastore.

Hitting the /users url again I got the redirect_uri error message.

I went back to the API project, fixed the Redirect URIs, and downloaded the client_secrets.json file.

Now both calls work (one to Directory API, the other to Reports API).

Community
  • 1
  • 1
hayseed
  • 51
  • 8