0

I am trying (and failing) to use OAuth2 to make calls to the admin.directory.group scope via a command line script. I tried configuring a Service Account to do this, but get this error message:

Error calling GET https://www.googleapis.com/admin/directory/v1/groups/foo%40example.com: (403) Not Authorized to access this resource/api

I also tried using an "Installed" application type, taking the manual step of obtaining an authorization code and subsequently a refresh token, but got the same Not Authorized error.

I do have "Enable API access" checked, and also have "Admin SDK" enabled in my project (though oddly it doesn't list admin.directory.group as one of Admin SDK's scopes).

What am I doing wrong?

molecularbear
  • 131
  • 1
  • 7

2 Answers2

1

Have you add the client ID in your Admin Console to grant Admin SDK third party client oauth access?

Here is an instruction on how to do that for task API:

https://developers.google.com/google-apps/help/articles/2lo-in-tasks-for-admins#manage

It should be similar for Admin SDK except you will have to put Admin SDK as the scope

Emily
  • 1,464
  • 1
  • 9
  • 12
  • I did try this but, but all that seems to apply to apply to OAuth1, not OAuth2. Is it not possible to use OAuth2 for this? – molecularbear Dec 25 '13 at 15:51
1

I finally got this to work using a service account. I did have to grant 3rd party access as Emily Lam suggested, but by a different means:

  1. Log in to admin console
  2. Security -> Advanced settings -> Authentication -> Mange third party OAuth Client access
  3. Authorize a new client by setting the Client Name to the Client ID of the service account, and the the API scope to whatever you need from the Admin SDK (e.g., https://www.googleapis.com/auth/admin.directory.group)

The other thing I needed to do was make sure my request was being made on behalf on an administrative user. Using the PHP API, setting up the credentials object looks like this:

$cred = new Google_Auth_AssertionCredentials(
    $clientEmail,
    'https://www.googleapis.com/auth/admin.directory.group',
    file_get_contents($keyFile));
$cred->sub = 'admin@example.com';

Now I am able to successfully make calls using the Google_Service_Directory class.

Community
  • 1
  • 1
molecularbear
  • 131
  • 1
  • 7