1

I'm trying to patch a user with some custom user fields using a Google Oauth2 service account but I get a 403 Unauthorized response if I delegate to any other user than myself.

I've effectively been guided by the following document. https://developers.google.com/api-client-library/python/auth/service-accounts#jwtsample

I've temporarily given this delegated user (service-user@test.pugme.co.uk) SuperAdmin privileges but the issue persists, in fact apart from the actual name, I can't find anything that differentiates the account from my own, which makes me suspect the issue is related to permission on the actual schema "customPermissions"?. (The delegated user is also the Service Account Actor on the service account)

My test code is ...

from __future__ import print_function
import json
import os
import httplib2

from httplib2 import Http
from json import dumps
from apiclient import discovery
from httplib2 import Http

from oauth2client.service_account import ServiceAccountCredentials

headers = {}

scopes = ['https://www.googleapis.com/auth/admin.directory.user',
          'https://www.googleapis.com/auth/admin.directory.userschema']

credentials = ServiceAccountCredentials.from_json_keyfile_name('service-account.json', scopes=scopes)

# Service account actor - Valid Google user but not a real person. 
account_sub = 'service-user@test.pugme.co.uk'

delegated_credentials=credentials.create_delegated(account_sub)

httplib2.debuglevel=3

http = delegated_credentials.authorize(Http())

service = discovery.build('admin', 'directory_v1', http=http)

# Prove we can get some users ... 
results = service.users().list(customer='<redacted>', maxResults=10, orderBy='email').execute()
users = results.get('users', [])

# Prove we can update schema for a particular user
schema = dumps({'customSchemas':{'pugme':{'customPermissions':[{'value':'role1'},{'value':'role2'}],'realName':'Mike Kirk'}}})

headers['Content-Type']="application/json; charset=UTF-8"
resp = http.request('https://www.googleapis.com/admin/directory/v1/users/michael.kirk@test.pugme.co.uk?projection=full', "PATCH", body=schema, headers=headers)
print(resp)

My custom schema is as follows. 

custom_schema = {
    "fields": [
        {
            "fieldName": "customPermissions",
            "fieldType": "STRING",
            "multiValued": True
        },
        {
            "fieldName": "realName",
            "fieldType": "STRING"
        }
    ],
    "schemaName": "pugme",
}

Thanks Mike

Mike Kirk
  • 11
  • 1

1 Answers1

2

Has the password on the user service-user@test.pugme.co.uk expired? I encountered a similar problem and it was resolved by resetting the password. It may also be worth changing the readAccessType in the field attributes:

https://developers.google.com/admin-sdk/directory/v1/reference/schemas

Nicola Forbes
  • 21
  • 1
  • Good Spot! I reset the password on the user (was still temporary) and it worked! Next challenge is to try and lower the privileges from SuperAdmin to a custom Admin role. I was expecting a role with User & Schema Management privileges to suffice but perhaps the privilege to set these custom attributes is not exposed? – Mike Kirk May 17 '17 at 16:16