Google App Engine App - authenticate to Google Admin Directory API

Question

I'm trying to access the Google Admin Directory API to create new Google Groups, from inside a Java app that runs on App Engine. I'm using the following dependencies:

   <dependency>
     <groupId>com.google.api-client</groupId>
     <artifactId>google-api-client</artifactId>
     <version>1.25.0</version>
   </dependency>
    <dependency>
      <groupId>com.google.api-client</groupId>
      <artifactId>google-api-client-appengine</artifactId>
      <version>1.25.0</version>
    </dependency>
    <dependency>
        <groupId>com.google.apis</groupId>
        <artifactId>google-api-services-admin-directory</artifactId>
        <version>directory_v1-rev105-1.25.0</version>
    </dependency>

I'm then trying to create a Google Group, like this:

final List<String> SCOPES = Collections.singletonList(DirectoryScopes.ADMIN_DIRECTORY_GROUP);

AppIdentityCredential appCredential = new AppIdentityCredential(SCOPES);

final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport();
final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();

Directory directory = new Directory.Builder(HTTP_TRANSPORT, JSON_FACTORY, getClientCredential())
        .setApplicationName("Test")
        .build();

com.google.api.services.admin.directory.model.Group group = new Group();
group.setEmail("test@test.com");
group.setName("test_group");
group.setDescription("test_group_desc");

Group googleGroup = directory.groups().insert(group).execute();

I get a 403 error and I think I need to authenticate in a different way. I've looked at the following guide to using the Google API Client Library for Java on Google App Engine:

https://developers.google.com/api-client-library/java/google-api-java-client/app-engine

This provides a link to a guide on using OAuth 2.0 with the authorization code flow for Google App Engine applications

The guide gives the following example of how to create a GoogleAuthorizationCodeFlow, however there is no explanation of what getClientCredential() is or what I should do in that routine:

return new GoogleAuthorizationCodeFlow.Builder(HTTP_TRANSPORT, JSON_FACTORY,
    getClientCredential(), Collections.singleton(CalendarScopes.CALENDAR)).setDataStoreFactory(
    DATA_STORE_FACTORY).setAccessType("offline").build();

This section on using the App Engine Identity API looks promising, however there's no explanation of how this could be used with the Google Admin Directory API client library:

https://cloud.google.com/appengine/docs/standard/java/appidentity/#asserting_identity_to_google_apis

What do I need to do to authenticate from an app that runs on App Engine?

Answer 1

I recommend you check the java quickstart sample for Google Admin SDK Directory API.

For example there is a getCredentials method which you can use instead of getClientCredential

/**
 * Creates an authorized Credential object.
 * @param HTTP_TRANSPORT The network HTTP Transport.
 * @return An authorized Credential object.
 * @throws IOException If the credentials.json file cannot be found.
 */
private static Credential getCredentials(final NetHttpTransport HTTP_TRANSPORT) throws IOException {
    // Load client secrets.
    InputStream in = AdminSDKDirectoryQuickstart.class.getResourceAsStream(CREDENTIALS_FILE_PATH);
    GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(JSON_FACTORY, new InputStreamReader(in));

    // Build flow and trigger user authorization request.
    GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
            HTTP_TRANSPORT, JSON_FACTORY, clientSecrets, SCOPES)
            .setDataStoreFactory(new FileDataStoreFactory(new java.io.File(TOKENS_DIRECTORY_PATH)))
            .setAccessType("offline")
            .build();
    LocalServerReceiver receiver = new LocalServerReceiver.Builder().setPort(8888).build();
    return new AuthorizationCodeInstalledApp(flow, receiver).authorize("user");
}