1

Hoping you can help.

Attempting to interact with GSuite API via a service account; however getting the 'client is unauthorized to retrieve access tokens using this method' error.

Sample code below:

#!/usr/bin/env python3

# Set env, import tools and generally get started

from __future__ import print_function
import httplib2
import os
from httplib2 import Http

from apiclient import discovery
from oauth2client import client
from oauth2client import tools
from oauth2client.file import Storage

from oauth2client.service_account import ServiceAccountCredentials
from oauth2client.service_account import _JWTAccessCredentials

try:
    import argparse
    flags = argparse.ArgumentParser(parents= . 
[tools.argparser]).parse_args()
except ImportError:
    flags = None

service_credentials_file = 
'/Users/my.user/Documents/Github/GSuite/service_credential.json'

# change working directory to script location (required for file use)
dir_path = os.path.dirname(os.path.realpath(__file__))
os.chdir(dir_path)

scopes = ['https://www.googleapis.com/auth/admin.directory.user',]

def test_function():
    credentials = ServiceAccountCredentials.from_json_keyfile_name(service_credentials_file, scopes=scopes)
    delegated_credentials = 
credentials.create_delegated('super.admin@domain.co.uk')
    http_auth = delegated_credentials.authorize(httplib2.Http())

    service = discovery.build('admin', 'directory_v1', http=http_auth)

    print('Getting the first 10 users in the domain')
    results = service.users().list(customer='my_customer', maxResults=10, orderBy='email', domain='nnn.nn').execute()
    print(results)

if __name__ == '__main__':
    test_function()

Full error raised:

raise HttpAccessTokenRefreshError(error_msg, status=resp.status) oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method.

What I've checked so far:

  • Scope (which for this example is 'https://www.googleapis.com/auth/admin.directory.user') is authorised for the client ID of this service account in the Admin>Security
  • Domain-wide delegation is enabled for the service account
  • The account being impersonated can make this call to the API authenticating on their own, the issue is impersonating this (and any other) user, or even just authorizing as the service account on its own.
  • Also doesn't work using a .p12 keyfile calling the 'from_p12_keyfile' method.

Any help here would be amazing as it's been a week of flailing about at it and I'm all out of ideas (as is Dr Google).

Thank you!

TorTurner
  • 11
  • 4
  • Usually this is caused by the method which the client_id was registered with Google vs the methods which are being attempted. – jwilleke Mar 27 '18 at 10:05
  • The client ID was generated from the dev console when creating the service account... I'm beginning to think it might be down to the roles assigned to the service account but am struggling, might create a new account and go through the roles testing. – TorTurner Mar 28 '18 at 12:40
  • Update: still ongoing, new service account worked briefly (and still does for getting a list of users) but doesn't work now. – TorTurner Mar 29 '18 at 09:24

0 Answers0