Google 目录 API 使用服务器到服务器 OAuth 2.0 返回 "Not Authorized to access this resource"
Google Directory API using Server to Server OAuth 2.0 returning "Not Authorized to access this resource"
我想在 Google 目录 API 中使用服务器到服务器 OAuth 2.0 来访问整个域的用户和组信息。对于使用 SignedJwtAssertionCredentials 的身份验证,我从 this year-old post 的代码开始。当我 运行 我的代码出现以下错误时: googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?customer=C...3&orderBy=email&alt=json&maxResults=10 returned "Not Authorized to access this resource/api">
Python 我使用的代码:
import httplib2
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
# Get the private key from the Google supplied private key file.
f = file("private-key.pem", "rb")
key = f.read()
f.close()
# Create the JWT
credentials = SignedJwtAssertionCredentials(
"23...fk@developer.gserviceaccount.com", key,
scope="https://www.googleapis.com/auth/admin.directory.user"
)
# Create an authorized http instance
http = httplib2.Http()
http = credentials.authorize(http)
# Create a service call to the directory API
service = build('admin', 'directory_v1', http=http)
# Show the first 10 users
print 'Getting the first 10 users in the domain'
results = service.users().list(customer='C...3', maxResults=10, orderBy='email',
viewType='admin_view').execute()
users = results.get('users', [])
if not users:
print 'No users in the domain.'
else:
print 'Users:'
for user in users:
print '{0} ({1})'.format(user['primaryEmail'], user['name']['fullName'])
我在开发人员控制台中创建了密钥、客户端 ID 和客户端电子邮件地址,并将客户端 ID 和以下范围添加到管理控制台中 "Manage API client access" 下的域。我启用了 API 访问权限。
启用范围:
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.member,
https://www.googleapis.com/auth/admin.directory.group.member.readonly
我成功地使用代码的下半部分通过身份验证读取用户作为安装的应用程序而不是服务器到服务器并且工作正常(相同的客户 ID 等)。这应该有效吗?我有什么想念的吗?我唯一能想到的是我用于测试的域是 Google Apps Free Edition。
这看起来与 another unresolved question
的错误相同
谢谢,
-罗汉
您需要在您的域中模拟超级管理员用户。尝试:
credentials = SignedJwtAssertionCredentials(
"23...fk@developer.gserviceaccount.com",
key,
scope="https://www.googleapis.com/auth/admin.directory.user",
sub="admin@domain.com")
我想在 Google 目录 API 中使用服务器到服务器 OAuth 2.0 来访问整个域的用户和组信息。对于使用 SignedJwtAssertionCredentials 的身份验证,我从 this year-old post 的代码开始。当我 运行 我的代码出现以下错误时: googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?customer=C...3&orderBy=email&alt=json&maxResults=10 returned "Not Authorized to access this resource/api">
Python 我使用的代码:
import httplib2
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
# Get the private key from the Google supplied private key file.
f = file("private-key.pem", "rb")
key = f.read()
f.close()
# Create the JWT
credentials = SignedJwtAssertionCredentials(
"23...fk@developer.gserviceaccount.com", key,
scope="https://www.googleapis.com/auth/admin.directory.user"
)
# Create an authorized http instance
http = httplib2.Http()
http = credentials.authorize(http)
# Create a service call to the directory API
service = build('admin', 'directory_v1', http=http)
# Show the first 10 users
print 'Getting the first 10 users in the domain'
results = service.users().list(customer='C...3', maxResults=10, orderBy='email',
viewType='admin_view').execute()
users = results.get('users', [])
if not users:
print 'No users in the domain.'
else:
print 'Users:'
for user in users:
print '{0} ({1})'.format(user['primaryEmail'], user['name']['fullName'])
我在开发人员控制台中创建了密钥、客户端 ID 和客户端电子邮件地址,并将客户端 ID 和以下范围添加到管理控制台中 "Manage API client access" 下的域。我启用了 API 访问权限。
启用范围:
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.member,
https://www.googleapis.com/auth/admin.directory.group.member.readonly
我成功地使用代码的下半部分通过身份验证读取用户作为安装的应用程序而不是服务器到服务器并且工作正常(相同的客户 ID 等)。这应该有效吗?我有什么想念的吗?我唯一能想到的是我用于测试的域是 Google Apps Free Edition。
这看起来与 another unresolved question
的错误相同谢谢,
-罗汉
您需要在您的域中模拟超级管理员用户。尝试:
credentials = SignedJwtAssertionCredentials(
"23...fk@developer.gserviceaccount.com",
key,
scope="https://www.googleapis.com/auth/admin.directory.user",
sub="admin@domain.com")