0

I brought up a GSuite Marketplace Listing with Service account created and Domain Wide Delegation enabled. I want to retrieve the users and orgunits of the customer.

  1. Created a new Google Cloud Project
  2. Enabled 'Admin SDK' in the project
  3. Enabled 'GSuite Marketplace SDK', filled the scopes 'https://www.googleapis.com/auth/admin.directory.orgunit.readonly', 'https://www.googleapis.com/auth/admin.directory.user.readonly' and published the listing.
  4. Enabled the 'Enable API Access' in the Admin Console of the customer.
  5. The customer installed the app but I saw that the client_id of the SA was not added under the "Authorized API clients" section. When I try to retrieve the list of users in GSuite, I get the below error.

"unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested"

Am I missing something in the marketplace listing ?

Shilpa Yellapragada
  • 11
  • 2
  • Also "G Suite Marketplace Integration Client" got created automatically under Credentials. But Service Account credentials still exist. Why did the listing app not install Admin SDK scopes under **'Authorized API Clients'** ? – Shilpa Yellapragada Apr 04 '19 at 18:07

1 Answers1

0

Why do you expect the SA's Oauth client to automatically appear under 'Authorized API Clients'? The instructions for setting up whitelisted Oauth clients for the domain mention you have to do it manually.

Kannan Jayaprakasam
  • 1
  • https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority. **Note: When you use G Suite Marketplace to install an application for your domain, the required permissions are automatically granted to the application during installation. You do not need to manually authorize the service accounts that the application uses. The account must have domain-wide delegation before the application is installed. ** – Shilpa Yellapragada Apr 06 '19 at 14:43
  • The section you quoted talks about not having to manually authorize the service accounts for the runtime oauth behavior. i.e. when the user is running the app. However for this to work, you still need to enable domain wide delegation for your service account, by adding its Oauth client id in the 'Aurhorized API clients'. This has to happen before you install the app. – Kannan Jayaprakasam Apr 08 '19 at 19:07