3

I've been testing my authorization code and suddenly I started to get:

Not Authorized to access this resource/api [403]
Errors [
    Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]

I scratched my head and tried a few things but I didn't think I'd changed anything. Eventually I tried running it on a different machine. It worked without error.

I'm using v1.6 of the Google Directory API .NET Client. I've been working on this for a while. I had service authorization working and was working on client authorization when I experienced the issue. I'm currently getting the same error when I try authorizing with service creds. I'm not currently in a position to check if that process still works on the other machine.

Any ideas?

EDIT

I'm using the same ClientId on the two machines.

peleyal
  • 3,472
  • 1
  • 14
  • 25
Simon
  • 426
  • 4
  • 12
  • First place I would look at is the HTTP Headers. – Jim Pedid Dec 02 '13 at 07:45
  • Check that https://cloud.google.com/console/?api=admin (Admin SDK) is enabled – peleyal Dec 02 '13 at 15:14
  • It is. Strange: when I tried that URL, I got a 404 so I went to https://code.google.com/apis/console/ (which is what I've used previously) and it was redirected to cloud.google.com/console! – Simon Dec 02 '13 at 16:35
  • Could it be some throttling thing? Could I have hit an authorization threshold for that machine? – Simon Dec 02 '13 at 16:37
  • Can you please provide the exact code you are trying to run? Do you use some GoogleWebAuthorizationBroker? – peleyal Dec 03 '13 at 01:00

4 Answers4

3

I was getting a 403 error as well. I resolved it by correcting the permissions. I had the project setup into Google under xyz@company.com:

  1. I had to login as our super user into Gmail
  2. search for user xyz
  3. I selected the user, then pressed Show more
  4. I clicked on 0 Admin roles and privileges
  5. enabled "User Management" since I was trying to pull a list of users

And the error went away.

Samvel Aleqsanyan
  • 2,812
  • 4
  • 20
  • 28
A Ruffian
  • 31
  • 1
  • 1
    If you're using a Google service account with domain-wide delegation, logon as a super admin and assign the service account to the User Management role. – ewilan Oct 08 '21 at 18:30
2

Someone had taken my account out of the Admin role. The reason it worked on the other machine was I'd logged in with a different admin account that hadn't been 'house-kept'. The names only differ by one character and I hadn't noticed.

Samvel Aleqsanyan
  • 2,812
  • 4
  • 20
  • 28
Simon
  • 426
  • 4
  • 12
2

I came across this post when receiving the same error. I am not in an Admin role, but figured I should be able to see the basic User Profile since I can access it from Contacts. After a little more research I came across this good piece of information: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#retrieve_users_non_admin

In a nutshell, set viewType parameter to domain_public

Here's what that looks like in C# 

    var getRequest = directoryService.Users.Get(googleId);
    getRequest.ViewType = UsersResource.GetRequest.ViewTypeEnum.DomainPublic;  
    User directoryUser = getRequest.Execute();
Airn5475
  • 2,452
  • 29
  • 51
0

I came across this thread but none of the answers helped me... as it turns out I made a typo in the domain name of the group I was looking up... ‍♂️

GET https://admin.googleapis.com/admin/directory/v1/groups/gruop@sub.example.com
                                                             ^^
=> Error 404 "Resource Not Found: groupKey"

GET https://admin.googleapis.com/admin/directory/v1/groups/group@sbu.example.com
                                                                  ^^
=> Error 403 "Not Authorized to access this resource/api"

So if you get a 403 error, check to make sure it's not just a 404 error in disguise

Matthew
  • 1,300
  • 12
  • 30