insufficient_scope when trying to use Google admin.directory.group API with ADC

Question

I am trying to use ADC to use Google Admin directory/groups API but getting insufficient_scope error. My email address attached to ADC is a super admin in Google workspace. I am not sure whats going wrong, here is the code:

const {google} = require('googleapis');

async function main () {
    const auth = new google.auth.GoogleAuth({
        scopes: [
            'https://www.googleapis.com/auth/cloud-platform',
            'https://www.googleapis.com/auth/admin.directory.group',
            'https://www.googleapis.com/auth/admin.directory.user'
        ],
    });
    const service = await google.admin({version: 'directory_v1', auth});
    const res = await service.members.list({
        groupKey: 'my-group@my-domain'
    }).then(
        res => console.log(res.data)
    )
    console.log(res.data.members);
}

main().catch(console.error);

And I get following error:

GaxiosError: Insufficient Permission
    at Gaxios._request (/Users/kumar.gaurav/Documents/work/my-project/node_modules/gaxios/build/src/gaxios.js:130:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async UserRefreshClient.requestAsync (/Users/kumar.gaurav/Documents/work/my-project/node_modules/google-auth-library/build/src/auth/oauth2client.js:382:18)
    at async main (/Users/kumar.gaurav/Documents/work/my-project/test-adc.js:28:17) {
  response: {
    config: {
      url: 'https://admin.googleapis.com/admin/directory/v1/groups/my-group%40my-domain/members',
      method: 'GET',
      userAgentDirectives: [Array],
      paramsSerializer: [Function (anonymous)],
      headers: [Object],
      params: {},
      validateStatus: [Function (anonymous)],
      retry: true,
      responseType: 'json',
      retryConfig: [Object]
    },
    data: { error: [Object] },
    headers: {
      'cache-control': 'private',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-type': 'application/json; charset=UTF-8',
      date: 'Thu, 29 Dec 2022 12:35:44 GMT',
      server: 'ESF',
      'transfer-encoding': 'chunked',
      vary: 'Origin, X-Origin, Referer',
      'www-authenticate': 'Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://apps-apis.google.com/a/feeds/groups/ https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/directory.group https://www.googleapis.com/auth/admin.directory.group.member https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/apps.directory.group.member.readonly https://www.googleapis.com/auth/directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/apps.directory.group.readonly https://www.googleapis.com/auth/directory.group.readonly"',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'SAMEORIGIN',
      'x-xss-protection': '0'
    },
    status: 403,
    statusText: 'Forbidden',
    request: {
      responseURL: 'https://admin.googleapis.com/admin/directory/v1/groups/my-group%40my-domain/members'
    }
  },
  config: {
    url: 'https://admin.googleapis.com/admin/directory/v1/groups/my-group%40my-domain/members',
    method: 'GET',
    userAgentDirectives: [ [Object] ],
    paramsSerializer: [Function (anonymous)],
    headers: {
      'x-goog-api-client': 'gdcl/6.0.4 gl-node/18.4.0 auth/8.7.0',
      'Accept-Encoding': 'gzip',
      'User-Agent': 'google-api-nodejs-client/6.0.4 (gzip)',
      Authorization: 'Bearer ya29.someToken',
      Accept: 'application/json'
    },
    params: {},
    validateStatus: [Function (anonymous)],
    retry: true,
    responseType: 'json',
    retryConfig: {
      currentRetryAttempt: 0,
      retry: 3,
      httpMethodsToRetry: [Array],
      noResponseRetries: 2,
      statusCodesToRetry: [Array]
    }
  },
  code: 403,
  errors: [
    {
      message: 'Insufficient Permission',
      domain: 'global',
      reason: 'insufficientPermissions'
    }
  ]
}

Here is my application-default-credential.json file:

cat ~/.config/gcloud/application_default_credentials.json
{
  "client_id": "someClientId.apps.googleusercontent.com",
  "client_secret": "someClientSecret",
  "refresh_token": "someRefreshToken",
  "type": "authorized_user"
}

Interesting thing is that if I use admin.directory.user API, that works:

    // works
    const res = await service.users.list({
        customer: 'my_customer',
        maxResults: 10,
        orderBy: 'email',
    });

    console.log(res.data.members);

I am workspace admin, so I am assuming my ADC would be sufficient to get token for admin.directory.group API. Can I get idea about what could be going wrong?

Thanks.

score 0 · Answer 1 · answered Dec 29 '22 at 13:37

0

Members.list requires one of the following scooes

You appear to be using one of these. My guess its that you have already authorized the user once then changed the scopes but did not authorize the user again using the new scopes

You need to either remember access directly in the users google account or remove it in your code I can't see that you are storing it locally could it be a cookie or something sorry not the best at node.js

answered Dec 29 '22 at 13:37

Linda Lawton - DaImTo

106,405
32
180
449

`you have already authorized the user once then changed the scopes but did not authorize the user again using the new scopes`: I actually also tried removing all gcloud config: `rm -rf ~/.config/gcloud` and then started fresh with: `gcloud auth application-default login` but no luck. – Kumar Gaurav Dec 29 '22 at 22:35
cloud auth has nothing to do with google apis authorization. you need to authorize your application – Linda Lawton - DaImTo Dec 30 '22 at 16:20

insufficient_scope when trying to use Google admin.directory.group API with ADC

1 Answers1