2

I hope someone can help me with.

Please take a look at the source code below. When the Execute is hit at the end. I will get the following error:

Google.Apis.Auth.OAuth2.Responses.TokenResponseException was unhandled _HResult=-2146233088 _message=Error:"access_denied", Description:"Requested client not authorized.", Uri:""

I have tried a lot of things. Creating user, list groups etc. etc. (with correct scopes) but every time I'm getting the same error.

I have created a service account and all of the APIs in the Google Developers Console are set to "on" The user I use for impersonation is a full administrator.

I have tried several things, but I must do something stupid. The code looks a lot like an other issue on Stack Overflow : Google Admin SDK Unable to Create User - Exception 403 Forbidden But mine is not going to work. Can anyone tells me what I'm forgetting? 

private static readonly string[] Scopes = new string[] { DirectoryService.Scope.AdminDirectoryUser, DirectoryService.Scope.AdminDirectoryGroup, DirectoryService.Scope.AdminDirectoryGroupMember };

    static void Main(string[] args)
    {

        String serviceAccountEmail = "***@developer.gserviceaccount.com";
        var certificate = new X509Certificate2(@"file.p12", "notasecret", X509KeyStorageFlags.Exportable);
        ServiceAccountCredential credential = new ServiceAccountCredential(
           new ServiceAccountCredential.Initializer(serviceAccountEmail)
           {
               Scopes = Scopes,
               User = "admin email address",

           }.FromCertificate(certificate));
        var service = new DirectoryService(new BaseClientService.Initializer()
       {
           HttpClientInitializer = credential,
           ApplicationName = "User Provisioning",
       });

        User newuserbody = new User();
        UserName newusername = new UserName();
        newuserbody.PrimaryEmail = "bbacon@correct.domain";
        newusername.GivenName = "Bob";
        newusername.FamilyName = "Bacon";
        newuserbody.Name = newusername;
        newuserbody.Password = "iambacon";

        Google.Apis.Admin.Directory.directory_v1.Data.User results = service.Users.Insert(newuserbody).Execute();

        Console.WriteLine("Press any key to continue!");
        Console.ReadKey();
    }
Community
  • 1
  • 1
Fabian
  • 103
  • 2
  • 5

1 Answers1

4

In your admin console, did you specifically grant permission to the client ID? Just turning the API on in the developer console is not enough, you must specifically grant this client ID scope access in admin console in order for it to impersonate user in your domain.

  1. Go to your Google Apps domain’s Admin console.

  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.

  3. Select Advanced settings from the list of options.

  4. Select Manage third party OAuth Client access in the Authentication section.

  5. In the Client name field enter the service account's Client ID.

  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar

  7. Click the Authorize button.

Let me know if this resolve the permission error.

davioooh
  • 23,742
  • 39
  • 159
  • 250
Emily
  • 1,464
  • 1
  • 9
  • 12
  • Oh...I would never have found it. In the past I did use the Google.Gdata library. And I can't remember ever have set this setting. Your are great! – Fabian Aug 15 '14 at 07:29