9

I get this error when trying to run my code: 

oauth2client.client.AccessTokenRefreshError: unauthorized_client: Unauthorized client or scope in request.

Here is my code:

import json
import requests
import httplib2
from oauth2client.client import SignedJwtAssertionCredentials
from apiclient.discovery import build

if __name__ == '__main__':

    json_key_file = 'my-key.json'

    with open(json_key_file) as json_file:

        json_data = json.load(json_file)
        credential = SignedJwtAssertionCredentials(json_data['client_email'], json_data['client_email'], json_data['private_key'], scope=['https://www.googleapis.com/auth/admin.directory.user','https://www.googleapis.com/auth/admin.directory.user.readonly'], sub='myemail@domain.com')

    http = httplib2.Http()
    http = credential.authorize(http)

    service = build('admin', 'directory_v1', http=http)
    data = service.users().list(domain='domain.com').execute()

    print data

I have the scope set correctly in my console, and I have my Admin SDK enabled in my console. My email is a super admin with access to all Admin API Privileges.

Why would I be getting this error?

Andrew
  • 3,545
  • 4
  • 31
  • 37

2 Answers2

10

Figured it out:

You need to use the client ID from your "Developers Console" as the Client Name in the "Manage API client access" when you're setting your API scopes

https://developers.google.com/+/domains/authentication/delegation

Andrew
  • 3,545
  • 4
  • 31
  • 37
2

You need to also go to G Suite Admin for the domain, then click Security, Show More, Advanced Settings, Manage Api Client Access (or just browse to this at the time of writing).

Then add an entry that in the Client name has your client name and the Scope has your scope. For instance mine looks like this, you do not need all the scopes only the one appropriate for your purpose:

enter image description here

gae123
  • 8,589
  • 3
  • 35
  • 40