0

I am trying to sync our user profiles from our internal SaaS to Google Workspace user profiles. Especially (gender, phone, jobTitle, department). After a long reading, I found out that it is not possible to do by OAuth in the Google cloud project, but it is necessary to create a service account. I have created it, but I am still getting responses Not Authorized to access this resource/api.

  • The Domain-wide Delegation is enabled.
  • Admin SDK API is enabled.
  • API client access with scope "https://www.googleapis.com/auth/admin.directory.user" is enabled in Workspace security.

Permission of service account: enter image description here

Code:

        $config = __DIR__ . '/project-users.json';

        $client = new \Google\Client();
        $client->setApplicationName('project-users');
        $client->setAuthConfig($config);
        $client->addScope(Google_Service_Directory::ADMIN_DIRECTORY_USER);
        $client->setSubject('admin@domain.com');
        $client->setAccessType('offline');

        $gsdService = new \Google\Service\Directory($client);
        
        $googleUser = new \Google\Service\Directory\User();
        // Gender
        $gender = new \Google\Service\Directory\UserGender();
        $gender->setType('male');
        // Phone
        $phone = new \Google\Service\Directory\UserPhone();
        $phone->setType('mobile');
        $phone->setValue('123456789');
        $googleUser->setPhones([$phone]);
        // jobTitle and department
        $organization = new \Google\Service\Directory\UserOrganization();
        $organization->setPrimary(TRUE);
        $organization->setTitle('Lead Developer');
        $organization->setDepartment('Dev');
        $googleUser->setOrganizations([$organization]);
        
        $gsdService->users->update('fname.lname@domain.com', $googleUser);
MakoBuk
  • 622
  • 1
  • 10
  • 19

1 Answers1

0

When using a service account with domain-wide delegation you need to impersonate a user who has the necessary authorization

  • The Directory API method users.update can only be executed by domain admins with the respective role / permissions.
  • See how to make a user an admin.
  • If in doubt, you can test with the [Try this API](Try this API) authorized as 'admin@domain.com' to verify either this user has the necessary permissions.
ziganotschka
  • 25,866
  • 2
  • 16
  • 33
  • That is the third point I wrote: API client access with scope "https://www.googleapis.com/auth/admin.directory.user" is enabled in Workspace security. – MakoBuk Jan 25 '22 at 12:20
  • In the admin console? If so, I did not understand you correctly. – ziganotschka Jan 25 '22 at 12:33
  • 1
    Is 'admin@domain.com' authorized to perform the updates you are trying to? You can quickly verify it by testing with the [Try this API](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update?apix=true) authorized as 'admin@domain.com'. – ziganotschka Jan 25 '22 at 12:35
  • No, the Try this API gives me the same response. That is probably the problem. The account 'admin@domain.com' is only for reading user data. It can't go anywhere else in Google Admin. If I understand correctly, even if I allow scopes on the service account level and the user has not permission, I can not access the endpoint... – MakoBuk Jan 25 '22 at 12:47
  • 1
    You understood correctly. The idea of a service account with impersonation is to perform actions on behalf of a user who has the necessary permissions - in your case it would be a domain admin who has access to the the respective Admin Directory methods. I will update my solution, since in your case the problem is a different one than I initially assumed. – ziganotschka Jan 25 '22 at 12:56