I have an application which integrates with a Google Apps for Work domain and requires to be migrated from oauth 1 to oauth 2.
The is a server application which requires simply requires to:
- list all groups in the domain.
- list users in a specified group.
- add members to a specified group.
- remove members from a specified group.
Given the above, I believe that this should be done using a service account. I have created this, downloaded the P12 token (what is difference between P12 and a JSON token?) and enabled the Admin SDK API via the Developers console. API Access is enabled in the Domain's control panel and I have enabled the scope https://www.googleapis.com/auth/admin.directory.group.member for the client ID associated with the service account.
I have tried some random operations around groups but get "insufficient permissions" response.
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Insufficient Permission",
"reason" : "insufficientPermissions"
} ],
"message" : "Insufficient Permission"
}
Anyway, firstly, I am looking for some help with the code necessary to implement the above operations correctly and then will see if there remains a permissions issue:
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collections;
import org.apache.commons.httpclient.HttpException;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.google.api.services.admin.directory.model.Users;
public class GoogleAppsService {
HttpTransport httpTransport;
JsonFactory jsonFactory;
public GoogleAppsService() throws GeneralSecurityException, IOException {
httpTransport = GoogleNetHttpTransport.newTrustedTransport();
jsonFactory = JacksonFactory.getDefaultInstance();
}
public GoogleCredential getCredentials() throws HttpException, IOException, GeneralSecurityException {
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId("179997031769-pf4t5hifo7dmtbqul1dbl9rulneijl7o@developer.gserviceaccount.com")
.setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/admin.directory.group.member"))
.setServiceAccountPrivateKeyFromP12File(
new File(this.getClass().getResource("/google_apps/google-apps-key.p12").getPath())).build();
return credential;
}
public void listGroups() throws Exception{
GoogleCredential credentials = getCredentials();
Directory directory = new Directory.Builder(
httpTransport, jsonFactory, credentials)
.setApplicationName("xyz")
.build();
//403 insufficient permissions thrown below is the above correct??
Groups result = directory.groups().list().execute();
System.out.println(result);
//iterate and print id/alias of each group
}
public void listUsers(String groupName) throws Exception {
GoogleCredential credentials = getCredentials();
//iterate and print email of each member for specified group
}
public void addUser(String groupname, String emailAddress)throws Exception {
GoogleCredential credentials = getCredentials();
}
public void removeUser(String groupName, String emailAddress)throws Exception {
GoogleCredential credentials = getCredentials();
}
public static void main(String[] args) throws Exception {
try {
GoogleAppsService service = new GoogleAppsService();
service.listGroups();
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}