How to authorise a service account to access the Google Admin API

Question

We are trying to create an integration with the Google Admin SDK in order to be able to retrieve, update and create accounts within our domain. However, we keep receiving a 403 error indicating that we are not authorized to access the resource/api.

We are using the credentials obtained from a service account which has Domain-wide Delegation of Authority enabled and the following two scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user. We are generating the JWT (which also includes these two scopes) and then sending a request to https://www.googleapis.com/oauth2/v4/token to retrieve the access token.

We are then using the access token to send a request to https://www.googleapis.com/admin/directory/v1/users?domain=XXXX.com. We are including the access token as a Bearer token, part of the headers. In the response we are getting the following message:

{
    "error": {
        "errors": [
            {
                "domain": "global",
                "reason": "forbidden",
                "message": "Not Authorized to access this resource/api"
            }
        ],
        "code": 403,
        "message": "Not Authorized to access this resource/api"
    }
}

Is it possible to clarify what are we doing incorrectly?

Which language are you using? How are you calling the google oauth server? — Coder, Sep 03 '19 at 13:19
I am doing everything manually at the moment and using postman to send requests. — Christian Bartolo, Sep 03 '19 at 13:44
I would love to see how you are authorizing a service account with postman i have never been able to get that to work. — Linda Lawton - DaImTo, Sep 03 '19 at 13:49
I am using Java to generate a JWT, which I then use to send a call to https://www.googleapis.com/oauth2/v4/token which retrieves an access_token. I then copy the access_token and send a request to retrieve users, which in response I get the unauthorised message. — Christian Bartolo, Sep 03 '19 at 13:55

score 2 · Accepted Answer · answered Sep 04 '19 at 12:33

2

The problem was that the JWT must include the sub field: The email address of the user for which the application is requesting delegated access.

answered Sep 04 '19 at 12:33

Christian Bartolo

71
5

score 1 · Answer 2 · answered Sep 03 '19 at 13:48

1

In order for this to work you must set up domain wide delegation by doing this your service account will then have access to the data in question.

Locate the newly-created service account in the table. Under Actions, click more_vert then Edit.
In the service account details, click expand_more Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
If you haven't yet configured your app's OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID, to obtain and make a note of the client ID.

answered Sep 03 '19 at 13:48

Linda Lawton - DaImTo

106,405
32
180
449

** Edit: The OAuth screen is configured and the domain wide delegation is also enabled on the service account. – Christian Bartolo Sep 03 '19 at 14:08
Not properly or you wouldn't be getting that error its telling you that you don't have access – Linda Lawton - DaImTo Sep 03 '19 at 16:59
So the problem is coming from the setup of the actual service account rather than the requests to the google API? – Christian Bartolo Sep 04 '19 at 06:22
Exactly the service account doesnt have permission to access the resource you are trying to access. That is defined in the setup of the domain wide delegation. Try and check it. – Linda Lawton - DaImTo Sep 04 '19 at 06:27
@DalmTo The domain wide delegation was set up as you described above, we also added to the scopes to the "Scopes for Google APIs" section in the apps OAuth screen. However, the same error is being returned. I've also sent a POST call to this URL: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= which successfully returns the information of the access token. Therefore indicating that it is working. When sending the request to the Admin SDK, only the access token needs to be added as a Bearer token part of the header, correct? – Christian Bartolo Sep 04 '19 at 12:04

How to authorise a service account to access the Google Admin API

2 Answers2

Linked