0

I have been able to use google admin api to login to google apps and retrieve user list. I need to do simiar using HTTPClient. I have earlier created a service account and been able to get the access token using JWT approach. Had granted authorization rights to scope using admin console advance secuurity settings.

I need to use this access token to create/update/read users. Despite having authorization requests for the give service account (thats how i was able to get the token) i am getting forbidden error.

   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Not Authorized to access this resource/api"
   }
  ],
  "code": 403,
  "message": "Not Authorized to access this resource/api"
 }
}

I have checked this access token against

curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=#access_token

and see that it is valid token.

Sample Java Snippet

     public void createUser()  {


        String params="{"
              +"\"name\": {"
              +"\"familyName\": \"Smith\","
              +"\"givenName\": \"John\","
              +"\"fullName\": \"John Smith\""
              +"},"
              +"\"password\": \"<some password>\","
              +"\"primaryEmail\": \"john.smith@xyz.net\","
              +"\"isAdmin\": false,"
              +"\"isDelegatedAdmin\": false,"
              +"\"isMailboxSetup\": true"
              +"}";


        PostMethod method =null;
        try {

            JSONObject json=new JSONObject(params);
            String url="https://www.googleapis.com/admin/directory/v1/users";
            //+ "?access_token="+ accessToken;
            method = new PostMethod(url);
            method.addRequestHeader("Content-Type", "application/json");
            method.addRequestHeader("Authorization","Bearer " + accessToken);

            method.setRequestEntity(new StringRequestEntity(json.toString(),
                    "application/json", null));
            method.execute();
            System.out.println(method.getResponseBodyAsString());
            if (method.getStatusCode() == HttpStatus.SC_CREATED) {
                try {
                    JSONObject response = new JSONObject(method.getResponseBodyAsString());
                    if (response.getBoolean("success")) {
                        System.out..println( "User Account created Successfully. <br>");
                    }
                } catch (JSONException e) {
                    e.printStackTrace();
                }
            }
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            method.releaseConnection;
        }

        return null;
    }
Jay Lee
  • 13,415
  • 3
  • 28
  • 59
user3240209
  • 51
  • 1
  • 4

1 Answers1

0

these 3 attributes are read-only and should not be set when creating a user.

+"\"isAdmin\": false,"
+"\"isDelegatedAdmin\": false,"
+"\"isMailboxSetup\": true"

That's probably not the root issue though. The error message indicates a permissions issue, not an authentication issue. Where did the access token come from? Who are you authenticating as? If it's a service account, the service account needs to have been granted domain-wide access to the Google Apps instance and be impersonating an admin in the Google Apps domain with the rights to create users. If the access token was authorized by a regular Google account user, that user must be an admin in the Google Apps domain or a reseller with correct permissions. You'll see this error often if there is a typo in the primaryEmail attribute.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • Yes i have already given authorizations(domain wide access) from Admin Console by super admin user to the given client. After doing that only, my code with google api started listing users. It was giving similar grant error earlier for these scopes "https://www.googleapis.com/auth/admin.directory.user","https://www.googleapis.com/auth/admin.directory.user.readonly");. The access token came from creating JWT with clientemail, privatekey for service account etc. Think maybe the domain needs to be set with HTTPClient somehow – user3240209 Feb 02 '14 at 08:05
  • The problem is token created with google crednetial builder works if used with regular HTTP GetMethod but token generated by JWT says unauthorized. Both show valid if used with tokeninfo url – user3240209 Feb 02 '14 at 11:38
  • 1
    Solved. The problem was that the token created by JWT was creating problem while the one from Google API was working. So found out finally that we need to specify the prn field in claim set for the propert token to be generated. Thanks for your help – user3240209 Feb 02 '14 at 12:29