0

I need to use G Suite account to insert a calendar include a hangout meet but I can't even insert the event, I always get the 403 response

403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "calendar",
    "message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.",
    "reason" : "forbiddenForServiceAccounts"
  } ],
  "message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}

I use the GCP p12 file and the service account to do the calendar.

I also click the Enable G Suite domain-wide delegation box and add my clientId and scope of

https://www.googleapis.com/auth/admin.directory.resource.calendar, https://www.googleapis.com/auth/calendar.events

at G Suite Admin console

What may be the problem!?

By the way, do I need to set the OAuth consent screen!? I already save it, but not been approve by google.

Can anyone help pls!!

In the begining I get credentials by the following code

credentials = new GoogleCredential.Builder().setTransport(httpTransport).setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId(CalendarEntity.CALENDARID)
                    .setServiceAccountPrivateKeyFromP12File(new File(P12FILEPATH))
                    .setServiceAccountScopes(Collections.singleton(CalendarScopes.CALENDAR)).build();

And then I add (my G Suite account)

.setServiceAccountUser("xxx@xxx.com.tw")

it response 401 Unauthorized How can I slove this!? thx

蘇柏綸
  • 39
  • 1
  • 10

1 Answers1

1

You are missing impersonation.

The purpose of granting domain-wide authority to a Service Account is for these accounts to be able to access data on behalf of users in the domain.

If you grant it domain-wide authority but are not "impersonating" any account, the Service Account is acting as if you hadn't granted this authority: it is trying to access its own Calendars, Drive files, etc., or in this case, trying to insert an Event: something which the Service Account cannot currently do, as I guess you already know.

When the Service Account impersonates another user in the domain (that is, when it acts on behalf of the user), the Service Account can access the resources this user can access. Nothing more, nothing less. What makes delegation useful is that it can do this with any user in the domain.

To impersonate another user, you have to specify this user's email address. I don't know which library you are using, if any, but here you can see how to impersonate another user with Python, Java, and plain HTTP/REST. Refer to this answer if you need to do it in the Node.js library. If you are using another library, look for the corresponding method in the library documentation.

Reference:

Iamblichus
  • 18,540
  • 2
  • 11
  • 27
  • If I directly create the service account on GCP, I still need to do the Reference step?! @Iamblichus – 蘇柏綸 Apr 07 '20 at 08:39
  • What do you mean by `Reference step`? – Iamblichus Apr 07 '20 at 08:49
  • the link you add at the button of your commet – 蘇柏綸 Apr 07 '20 at 09:06
  • @蘇柏綸 If you mean whether you have to impersonate another user, yes, you have to do that in order to create an Event with a Service Account. – Iamblichus Apr 07 '20 at 09:18
  • By the way, if I create a hangouts meet in the event, may I assign one of the attendees to be the host of the meet ?! – 蘇柏綸 Apr 07 '20 at 09:58
  • @蘇柏綸 You can [change](https://developers.google.com/calendar/v3/reference/events/move) the event organizer, and I guess this will also update the meet host. In any case, if you have doubts about this, I'd suggest you to create a new question, since that was not part of the original question. – Iamblichus Apr 07 '20 at 13:35
  • @ Iamblichus I tried to setServiceAccountUser and it still not work, I had edited the question – 蘇柏綸 Apr 07 '20 at 14:53
  • @蘇柏綸 Make sure the user you are impersonating is authorized to create events in this calendar. This might not be the case. Be aware that the Service Account can only access the same resources as the account it is impersonating. – Iamblichus Apr 07 '20 at 14:56
  • I use the scope of https://www.googleapis.com/auth/admin.directory.resource.calendar, https://www.googleapis.com/auth/calendar.events and it can work in normal gmail, but i can't work in gsuite and gsuite service account – 蘇柏綸 Apr 08 '20 at 05:20
  • 1
    i fix the problem from g suit support still thanks for you help! – 蘇柏綸 Apr 08 '20 at 07:04