Removing App Specific Password(s) with Google Directory API

Question

I have scripted/automated our entire termination process for a user using the Google Directory API (i.e., changing password, moving to another OU, etc.) That all works great, however, I am noticing that when I use the "Delete App Specific Password" call that no ASPs actually get deleted. When I check in the admin panel they are all still present in the user account.

I do about a dozen other Google API calls in the script (that work), so, no it's not a permission/scope issue. No errors are thrown during the ASP part of the script. It just "processes" the call and continues. Very strange.

When I use the Try this API section on Google it works just fine and removes the ASP that I specify.

Is anyone else experiencing this issue?

Here is the section of the pertinent code:

scopes = ['https://www.googleapis.com/auth/admin.directory.user.security',
            'https://www.googleapis.com/auth/admin.directory.user',
            'https://www.googleapis.com/auth/gmail.settings.sharing',
            'https://www.googleapis.com/auth/gmail.modify',
            'https://www.googleapis.com/auth/admin.datatransfer',
            'https://www.googleapis.com/auth/admin.directory.group']

credentials = ServiceAccountCredentials.from_json_keyfile_name('../service-account-key.json', scopes=scopes)

delegated_credentials = credentials.create_delegated('REDACTED')
http_auth = delegated_credentials.authorize(Http())

directory_service = discovery.build('admin', 'directory_v1', http=http_auth)

def remove_asps():
    ##############################################################################################################################
    '''
    REMOVE ALL APP SPECIFIC PASSWORDS
    '''
    ##############################################################################################################################
    asp = directory_service.asps().list(userKey='{0}'.format(user_email)).execute()
    app_specific_passwords = asp.get('items', [])

    print('3) Removing App Specific Passwords:')
    if not app_specific_passwords:
        print('- {0} does not have any App Specific Passwords to remove.'.format(user_email))
        print('')
    else:
        for app_specific_password in app_specific_passwords:
            print('- Removing App Specific Password - {0} from {1}'.format(app_specific_password['name'],user_email))
            delete_asps = directory_service.asps().delete(userKey='{0}'.format(user_email),codeId='{0}'.format(app_specific_password['codeId']))
            print('Done.')
            print('')

I have also attempted to hard code the values into the call and removing the for-loop, rather than using variables, and that does not work either.

The logs show that the call is run, but no errors are thrown:

googleapiclient.discovery: INFO     URL being requested: DELETE https://www.googleapis.com/admin/directory/v1/users/redacted_email/asps/0?
googleapiclient.discovery: INFO     URL being requested: DELETE https://www.googleapis.com/admin/directory/v1/users/redacted_email/asps/1?
googleapiclient.discovery: INFO     URL being requested: DELETE https://www.googleapis.com/admin/directory/v1/users/redacted_email/asps/2?

Thanks in advance for the help!

Please update the question with the simplest code, hardcoded showing the asp delete (fail case) and change password (pass case). I think this will help people who could potentially assist with an answer. — Peter, Apr 26 '17 at 23:16

Removing App Specific Password(s) with Google Directory API

0 Answers0