0

Scopes in OAuth Consent Screen in Google Cloud PlatformI am trying to call the AdminService API to manage my domain's groups such adding new group members, create new groups etc. , but I'm stuck with the request to get all the users' of my domain. Here is the code:

public static class MembersSample
        {
            static void Main(string[] args)
            {
                String serviceAccountEmail = "*****@*****.iam.gserviceaccount.com";

                var certificate = new X509Certificate2(@"pathofthefile.p12", "secret", X509KeyStorageFlags.Exportable);


                ServiceAccountCredential credential = new ServiceAccountCredential(
                new ServiceAccountCredential.Initializer(serviceAccountEmail)
                {
                    Scopes = new[] { 
                DirectoryService.Scope.AdminDirectoryUser,
                DirectoryService.Scope.AdminDirectoryGroup,
                DirectoryService.Scope.AdminDirectoryDomain,
                DirectoryService.Scope.AdminDirectoryGroupMember },
                    User = "domainmanageremail"
                }.FromCertificate(certificate));


                var dirservice = new DirectoryService(new Google.Apis.Services.BaseClientService.Initializer()
                {
                    HttpClientInitializer = credential,
                    ApplicationName = "my application name",
                });




                var listReq = dirservice.Users.List();
                listReq.Domain = "my domain address";
                Users allUsers = listReq.Execute();
                int counter = 0;
                foreach (User myUser in allUsers.UsersValue)
                {
                    Console.WriteLine("*" + myUser.PrimaryEmail);
                     counter++;
                }
                Console.WriteLine(counter);
                Console.ReadKey();
            }

I am getting this error ;

Unhandled Exception: Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""

My service account role is Service Account User, and my role is Service Account Admin in this project. Also, I did authorization part for the service account with the DirectoryService.Scope.AdminDirectoryUser scope (Domain Wide Delegation).

-Is this scope is wrong or do I need additional one to manage groups and members?

Thanks for any help!

AshleyCam
  • 59
  • 1
  • 7
  • 2
    You have to [wait 24 hours](https://github.com/googleapis/google-api-php-client/issues/1379) for the Domain Wide Delegation to kick in. Also, yes, you need additional scopes for this to work. Try to refer in [`Groups: list`](https://developers.google.com/admin-sdk/directory/v1/reference/groups/list) and [`Users: list`](https://developers.google.com/admin-sdk/directory/v1/reference/users/list) to know more what scopes are needed. – MαπμQμαπkγVπ.0 Nov 30 '18 at 11:05
  • Thanks for your response, but still getting same error, also I have updated the scopes with additional ones. My other question is that if I impersonate the user in right way or not, maybe that is the issue. Or, Do I need any other authorization such as OAuth2 with OAuth2 key instead of service account key? – AshleyCam Dec 05 '18 at 16:54
  • Your code looks functionally equivalent to my own. Can you post a shot of the scopes configured in the GSuite admin console? – Justin Cervero Dec 10 '18 at 00:34
  • You can see the scopes that I used in google cloud platform in the picture top of my post. – AshleyCam Dec 11 '18 at 18:30
  • That screenshot appeared to be the application/project settings. The scopes *also* have to be added in the security settings of the domain. Have you added them in the admin console? – Justin Cervero Dec 16 '18 at 21:36
  • They were added with service account Client ID in the advanced security settings in GSuite admin console. Still, I am getting the same error. – AshleyCam Dec 18 '18 at 17:34

0 Answers0