.NET Core Web API + Google.Apis.Admin.Directory.directory_v1 - scope issue while attempting to read chromeos devices

Question

Our app attempts to read chrome devices from Google Workspace using the following code.

IAuthorizationCodeFlow is created as follows:

var flowInitializer = new GoogleAuthorizationCodeFlow.Initializer
{
    ClientSecrets = new ClientSecrets
    {
        ClientId = clientID,
        ClientSecret = clientSecret
    },
    Scopes = new[] {
        DirectoryService.Scope.AdminDirectoryUserReadonly
        , DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly
        , DirectoryService.Scope.AdminDirectoryGroupReadonly
    },
    DataStore = dataStore
};
_flow = new GoogleAuthorizationCodeFlow(flowInitializer);

Then the service is created as follows:

// appFlowMetaData.Flow is _flow created above
var service = new DirectoryService(new BaseClientService.Initializer()
{
    HttpClientInitializer = new UserCredential(appFlowMetaData.Flow, user.Email, new TokenResponse() { RefreshToken = refreshToken }),
    ApplicationName = "app name"
});

And this is an attempt to list chrome os devices (btw, listing groups produces the same error):

var chromeOsDevices = new List<Google.Apis.Admin.Directory.directory_v1.Data.ChromeOsDevice>();
// using actual customer ID instead of 'my_customer' makes no difference below
ChromeosdevicesResource.ListRequest request = service.Chromeosdevices.List("my_customer"); 
var response = new Google.Apis.Admin.Directory.directory_v1.Data.ChromeOsDevices();
response = request.Execute();

However, the last line generates the following error:

Request had insufficient authentication scopes. [403] Errors [ Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global] ]

A similar code that lists users and uses the same service (DirectoryService) works fine.

The credential used by the service include the following scopes:

DirectoryService.Scope.AdminDirectoryUserReadonly
DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly

The code executes in Azure app service app.

Unfortunately, the dev who created the app and configured it in the console is no longer available.

Do we need to add the second scope to the app registered in Google API console?

The reason I ask this question is because I do not see the first scope added to the app there but listing users works fine.

Can anyone suggest other reasons why getting users works but getting devices does not?

Hi ! Are you using any of these two scopes mentioned in [the documentation for this method](https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices/list)? If so as it seems (as you indicated to be using ```DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly```), are you implementing these scopes correctly? If you could please share the piece of code of your authorization without providing any sensitive information it could be helpful. Thanks ! — Mateo Randwolf, Feb 15 '21 at 15:55
@Mateo Randwolf I just edited my original post and added a code that deals with scopes. — gordieb, Feb 15 '21 at 19:29
Hi ! Could you please try refreshing your auth token? The [documentation](https://developers.google.com/admin-sdk/directory/v1/quickstart/dotnet) indicates that ```If modifying these scopes, delete your previously saved credentials at ~/.credentials/admin-directory_v1-dotnet-quickstart.json```. From the information you have provided you have changed the scopes but keep using the same credentials. Please delete the token and re authorise your application with the new scopes. Let me know how that goes. — Mateo Randwolf, Feb 18 '21 at 09:37

.NET Core Web API + Google.Apis.Admin.Directory.directory_v1 - scope issue while attempting to read chromeos devices

0 Answers0