9

I'm using google admin directory API to get all accounts public information using following API https://www.googleapis.com/admin/directory/v1/users

here is link for this api link when I logged in using g suite domain account let say abc@somedomain.com with non administrative user this api works fine and fetch the data of all accounts in array but When I call this API by logging in as admin it gives me following error /

Insufficient Permission: Request had insufficient authentication scopes

why its happening Im using same auth and API key for both users
my code is here 

const token =localStorage.getItem('token')
 fetch(`https://www.googleapis.com/admin/directory/v1/users? 
 domain=${domain.url}&viewType=domain_public&key=${apiKey.key}`  
  ,{ headers: {
'authorization': 'Bearer '+token
  },})

  .then(response => response.json())
  .then(data => this.setState({ users:data.users }));

token is coming from this module npm react google login google sign in button

Asad
  • 3,070
  • 7
  • 23
  • 61
  • Hello @Asad, what scopes did you use for the request? Moreover, did you use any parameters for the request? – ale13 Feb 12 '20 at 10:46
  • Scope is set by default like first im logining with google auth then im sending two params `view_type` and `domain` here you can look https://developers.google.com/admin-sdk/directory/v1/reference/users/list @ale13 – Asad Feb 12 '20 at 14:40
  • im sending my domain name domain.com and `view_type` = domain_public for non admin user – Asad Feb 12 '20 at 14:41
  • with access token in header like this `bearer xxxxx` xxx is access token @ale13 – Asad Feb 12 '20 at 18:43
  • Hello @Asad, how are you calling the API? What are you getting if you are using the [OAuth 2.0 Playground](https://developers.google.com/oauthplayground/) with the same parameters as above? Cheers! – ale13 Feb 13 '20 at 14:12
  • Im first logging in through google sign in button , In response I'm getting access token and then Im sending this access token in header to call api with above 2 parameters @ale13 – Asad Feb 13 '20 at 15:23
  • Im calling api with simple `fetch` method in reactjs – Asad Feb 13 '20 at 15:29
  • Hey @Asad, have you tried the [OAuth 2.0 Playground](https://developers.google.com/oauthplayground/)? What results are you getting? Cheers! – ale13 Feb 14 '20 at 15:25
  • iits working there :/ i have added scope `https://www.googleapis.com/auth/admin.directory.user.readonly` but when i add this scope to admin account it dont work while works for non admin user @ale13 – Asad Feb 14 '20 at 17:10

3 Answers3

6

It seems that the issue you are encountering is related to the way you are using the access token, more precisely in the way you use the scopes for the admin account in relation to the access token you have.

If the scopes you want to use with the two accounts don't match entirely, you will need to get another access token when you use the admin account.

So in order to solve your issue, you will have to get a new access token for the scopes you will be using for the admin account. You can declare them like this:

const SCOPES = ['https://www.googleapis.com/auth/admin.directory.user.readonly' 'OTHER_SCOPE_1' 'OTHER_SCOPE_2'...];

Same goes for the non-admin account; if the scopes don't match entirely, declare them like above and get another access token which will be the one matching them.

Reference

ale13
  • 5,679
  • 3
  • 10
  • 25
  • 1
    uh yes It was issue of scope and i was stuck in how to add in that react module, but I learnt it well still wondering how it works for `non admin user` thank you so much for your time :) @ale13 – Asad Feb 18 '20 at 21:19
  • @Asad you’re welcome and I’m glad to hear everything works as expected now :) – ale13 Feb 18 '20 at 21:24
0

with the help of @ale13 I came to know that I need to add scopo in react-module react google login

so I added following scope

https://www.googleapis.com/auth/admin.directory.user

and I still don't know how this works for non admin user without adding scope

Asad
  • 3,070
  • 7
  • 23
  • 61
0

Reason: During the instance creation in "Access scopes" you used the Default option need to choose the "Allow full access to all Cloud APis" option.

Once you already created do the steps:

*) stop the VM instance *) click in Edit , next in API access scopes select "Allow full access to all Cloud APis" and click in save *) Start instance and check please

Dharman
  • 30,962
  • 25
  • 85
  • 135
Srinu Veera
  • 1