Google API users.get error 401 Unauthorized

Question

So, im tryng to use users.get from google api and it work fine if i call it directly Oauth 2.0 Client Application but with it after get the token and make the request its necessary to allow on brownse to use it propertly and i can't let this way.

So, i changed to use service accounts. I get the authentication token, i make the request but everytime i get erorr 401 Unauthorized :

System.AggregateException
  HResult=0x80131500
  Message=Um ou mais erros.
  Source=mscorlib
  StackTrace:
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at googleteste.Program.Main(String[] args) in \source\repos\googleteste\googleteste\Program.cs:line 36

Inner Exception 1:
HttpRequestException: O código de status de resposta não indica êxito: 401 (Unauthorized).

I already did domain delegation on scopes .

I create the keys, JSON and P12.

Thanks.

public static async Task<string> GetAccessTokenFromJSONKeyAsync(string jsonKeyFilePath, params string[] scopes)
    {
      using (var stream = new FileStream(jsonKeyFilePath, FileMode.Open, FileAccess.Read))
      {
        return await GoogleCredential
            .FromStream(stream) // Loads key file
            .CreateScoped(scopes) // Gathers scopes requested
            .UnderlyingCredential // Gets the credentials
            .GetAccessTokenForRequestAsync(); // Gets the Access Token
      }
    }

public static string GetAccessTokenFromJSONKey(string jsonKeyFilePath, params string[] scopes)
    {
      return GetAccessTokenFromJSONKeyAsync(jsonKeyFilePath, scopes).Result;
    }

var token = GoogleServiceAccount.GetAccessTokenFromJSONKeyAsync(
            "Keys/wneniac-2744e4a55337.json",
            new[] { "https://www.googleapis.com/auth/admin.directory.user", "https://www.googleapis.com/auth/admin.directory.user.security", "https://www.googleapis.com/auth/contacts", "https://www.googleapis.com/auth/gmail.modify" });

      Console.WriteLine(new HttpClient().GetStringAsync($"https://admin-admin.googleapis.com/admin/directory/v1/users/usertosearch?access_token={token}&domain= ").Result);

Where did you get this code are you following a sample from someplace? Unauthorized means you dont have access something's wrong with your delegation. — Linda Lawton - DaImTo, Nov 14 '22 at 14:19
I got it from https://www.ashishvishwakarma.com/get-access-token-for-google-api-service-account-c-sharp/ . Here it call userinfo.profile but i got the same error as i call users.get. I followed every step from this tutorial. — Rodrigo da Silva Nascimento, Nov 14 '22 at 17:43
I think your issue is that its from Oct 10, 2017. You need to delegate to a user if you want to get profile information back. — Linda Lawton - DaImTo, Nov 14 '22 at 18:03
I just removed to post here but in the real one its there. https://admin-admin.googleapis.com/admin/directory/v1/users/USERHERE?access_token={token}&domain=DOMAINHERE . It's that you was talking about, right ? — Rodrigo da Silva Nascimento, Nov 14 '22 at 20:14
Try my edit see if it helps. Im a little busy right now so i dont have time to create you a full sample. — Linda Lawton - DaImTo, Nov 15 '22 at 08:22
then you haven't configure deligation to the user on your domain yet — Linda Lawton - DaImTo, Nov 17 '22 at 13:13
I tried to call it from postman getting the token and using it with url. I got the error : { "error": { "code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED" } } Still this is a delegation problem ? Or someting im doing wrong ? — Rodrigo da Silva Nascimento, Dec 14 '22 at 12:48

score 1 · Accepted Answer · answered Nov 15 '22 at 08:22

In order for your service account to act on behalf of a user on your domain. Your code must demote what the user it is supposed to be impersonating.

That is what we use the CreateWithUser method for. This user has been configured in my workspace domain to be allowed to access in my case google drive.

var credential = GoogleCredential.FromFile(PathToServiceAccountKeyFile)
    .CreateWithUser("no-repply@daimto.com")  // delegate to user on workspace.
    .CreateScoped(new[] {DriveService.ScopeConstants.Drive});

Without denoting what user the service account is supposed to be impersonating, the service account cant do anything.

After all tests i actually found the problem and it was the user i was using. The user has acess to delegation but it wasn't admin and because of this i was getting the error. I changed it and its working now. Thanks ! — Rodrigo da Silva Nascimento, Dec 19 '22 at 14:58

Google API users.get error 401 Unauthorized

1 Answers1