Receiving Insufficient Permission error from DirectoryService

Question

I am trying to setup c# code to manage our Google domain.

I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.

Google.Apis.Requests.RequestError

Insufficient Permission [403]

Errors [

    Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]

]

I followed all the instructions on the OAuth setup. The account I am using is a domain admin.

The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.

Below is my code for querying users, is there anything I am missing?

        static void Main(string[] args)
    {
        var applicationName = "App Project Name";
        var userName = "admin@domain.com";
        var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com";

        UserCredential credential;

        using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read))
        {
            credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
                GoogleClientSecrets.Load(stream).Secrets,
                new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
                userName,
                CancellationToken.None, null).Result;
        }

        var service = new DirectoryService(new BaseClientService.Initializer() 
            { 
                ApplicationName = applicationName, 
                HttpClientInitializer = credential 
            });

        var list = service.Users.List();

        var users = list.Execute();
    }
}

score 5 · Accepted Answer · edited Apr 10 '19 at 00:03

5

2 options:

You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.

Please update this thread if one of these options worked or something else is still missing for you.

edited Apr 10 '19 at 00:03

Yannick MG

786
9
19

answered Apr 29 '15 at 20:48

peleyal

3,472
1
14
25

1. I tried adding in all the scopes and it didn't change anything. 2. In the instructions it states "Activate the Directory API in the Google Developers Console. (If the API isn't listed in the Developers Console, then skip this step.)" When I go into the console, the Directory API is not listed as any of the API's. So I assumed I needed to skip that step. I enabled the admin and gmail ones just in case. – VaultBoy14 Apr 29 '15 at 21:01
1

I needed to authorize the app for the api url in the admin.google scren – VaultBoy14 Apr 30 '15 at 13:57
What URL? By your code it looks like you are using an installed application (and NOT web application), right? So which URL did you need to update? Can you elaborate more, please? – peleyal Apr 30 '15 at 21:33
I had to go into admin.google.com and authorize the clientid for the app to the following api url https://www.googleapis.com/admin/directory/v1. The URL I previously had authorized was incorrect – VaultBoy14 May 01 '15 at 16:51

JohnB · Answer 2 · 2018-09-20T21:13:21.183

Scopes

It appears that you are trying this Quickstart:

.NET Quickstart for Directory API

However, the scope(s) used in that tuturoial are:

new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };

However, in the code your posted code you have:

new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },

Tokens

After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)

\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user

Enable APIs

Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)

Enable Directory API

Enable Gmail API

Deleting the token was crucial for me – Nick Jan 02 '19 at 17:33 — Nick, Jan 02 '19 at 17:33
@Nick same here: deleting the token folder was a must! – agDev Nov 22 '19 at 18:51 — agDev, Nov 22 '19 at 18:51

score 0 · Answer 3 · answered Jan 16 '18 at 16:50

Here is my working credentials code:

using (var stream =
    new FileStream("client_secret.json", FileMode.Open, FileAccess.Read))
    {
        string credPath = System.Environment.GetFolderPath(
            System.Environment.SpecialFolder.Personal);
            credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");

            UserCredential credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
                GoogleClientSecrets.Load(stream).Secrets,
                new string[] { CalendarService.Scope.Calendar },
                "username@gmail.com",
                CancellationToken.None,
                new FileDataStore(credPath, true)).Result;
            Console.WriteLine("Credential file saved to: " + credPath);
        }

Make sure to Enable the API in the Console,

score 0 · Answer 4 · answered Oct 25 '18 at 06:56

The doc at url https://developers.google.com/gmail/api/quickstart/dotnet has scope set as static string[] Scopes = { GmailService.Scope.GmailReadonly }; set it as GmailService.Scope.MailGoogleCom and then continue with the flow as specified in the document.It was a bummer i was editing the scope in my token respnse file

Receiving Insufficient Permission error from DirectoryService

4 Answers4

Linked