0

I am using google API client service to perform all GSuite API like customer creation, customer subscription, and customer admin user creation.

So using the API i could able to create customer, subscription and list users of customers. But only thing i couldn't able to do, ie., customer admin user creation.

Seems like that needs some scope "https://www.googleapis.com/auth/admin.directory.user".

But after many try I have enabled the scope "https://www.googleapis.com/auth/admin.directory.user.readonly". But I couldn't remember how it was enabled by me ,only I have remember when I try to use API console I have chosen all directory API to authorize, even this also "https://www.googleapis.com/auth/admin.directory.user".

So now the problem is that creation of admin user using the API. I am getting the error "Insufficient Permission: Request had insufficient authentication scopes."

I have done all this by referring the below URLs only.

https://developers.google.com/admin-sdk/reseller/v1/quickstart/php https://developers.google.com/admin-sdk/directory/v1/quickstart/php

So please help me to give permission to access "https://www.googleapis.com/auth/admin.directory.user" to create admin user for my application.

I have used below script to do that.

<?php
require __DIR__ . '/vendor/autoload.php';
if (php_sapi_name() != 'cli') {
    throw new Exception('This application must be run on the command line.');
}

function getClient()
{
    $OAUTH2_SCOPES = [
        Google_Service_Reseller::APPS_ORDER,
        Google_Service_SiteVerification::SITEVERIFICATION,
        Google_Service_Directory::ADMIN_DIRECTORY_USER,
    ];

    $client = new Google_Client();
    $client->setApplicationName('G Suite Reseller API PHP Quickstart');
    $client->setScopes(Google_Service_Reseller::APPS_ORDER);
    $client->setAuthConfig('credentials.json');
    $client->setAccessType('offline');
    $client->setPrompt('select_account consent');

    $tokenPath = 'token.json';
    if (file_exists($tokenPath)) {
        $accessToken = json_decode(file_get_contents($tokenPath), true);
        $client->setAccessToken($accessToken);
    }


    if ($client->isAccessTokenExpired()) {
            if ($client->getRefreshToken()) {
            $client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
        } else {
                $authUrl = $client->createAuthUrl();
            printf("Open the following link in your browser:\n%s\n", $authUrl);
            print 'Enter verification code: ';
            $authCode = trim(fgets(STDIN));


            $accessToken = $client->fetchAccessTokenWithAuthCode($authCode);
            $client->setAccessToken($accessToken);


            if (array_key_exists('error', $accessToken)) {
                throw new Exception(join(', ', $accessToken));
            }
        }

        if (!file_exists(dirname($tokenPath))) {
            mkdir(dirname($tokenPath), 0700, true);
        }
        file_put_contents($tokenPath, json_encode($client->getAccessToken()));
    }
    return $client;
}

$client = getClient();
$user = new Google_Service_Directory_User($client);
$service = new Google_Service_Directory($client);
$names = new Google_Service_Directory_UserName($client);

    $customerId = $cusomter_id;
    $email_id = $admin_email_id;
    $fname = $fname;
    $lname = $lname;
    $kind = "admin#directory#user";
    $user->setKind($kind);
    $user->setChangePasswordAtNextLogin(true);
    $user->setprimaryEmail($email_id);
    $user->setCustomerId($customerId);
    $user->setIsAdmin(true);

    $names->setFamilyName($fname);
    $names->setFullName($fname);

    $user->setName($names);
    $user->setPassword($password);
    $setEmails = array("address"=>$email_id, "type"=>"work", "primary"=>true,"isAdmin"=>true);
    $user->setEmails($setEmails);
    $results = $service->users->insert($user);
    print_r($results);
?>

Response Error

PHP Fatal error:  Uncaught exception 'Google_Service_Exception' with message '{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "insufficientPermissions",
    "message": "Insufficient Permission: Request had insufficient authentication scopes."
   }
  ],
  "code": 403,
  "message": "Insufficient Permission: Request had insufficient authentication scopes."
 }
}
' in google-gsuite-api/google-api-php-client-2.2.3/src/Google/Http/REST.php:118
Stack trace:
#0 google-gsuite-api/google-api-php-client-2.2.3/src/Google/Http/REST.php(94): Google_Http_REST::decodeHttpResponse(Object(GuzzleHttp\Psr7\Response), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#1 [internal function]: Google_Http_REST::doExecute(Object(GuzzleHttp\Client), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#2 google-gsuite-api/google-api-php-client-2.2.3/src/Google/Task/Runner.php(176): call_user_func_ in google-gsuite-api/google-api-php-client-2.2.3/src/Google/Http/REST.php on line 118
Vignesh Kumar
  • 49
  • 6
  • I think you need to create the user first before you can promote them to an admin. And is the user you are using a (super) admin? Notes: The user must first exist before being made a super administrator. See: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users – wp78de Jul 11 '19 at 21:16
  • @wp78de thank you for your reply.. That is problem I'm facing. I couldn't able to create an user. Even i know that we need create an user then only we can make them admin. FYI: https://www.googleapis.com/auth/admin.directory.user scope verification also done in google console OAuth consent screen – Vignesh Kumar Jul 18 '19 at 09:55
  • I think I know what's going on. You need to delete the token that was downloaded before the permissions/scopes were changed. Remove/re-add both .json files. – wp78de Jul 18 '19 at 15:27

0 Answers0