2

We have a google corporate account and are already using the Groups Provisioning API to manage groups in our domain. We now need to tweak group settings via the "group settings api". Our java code acts as special admin user in our domain for all Group Provisioning API as it manages groups.

a) I am reading https://developers.google.com/google-apps/groups-settings/auth

b) "If your application has certain unusual authorization requirements, .... or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key."

c) I read: https://developers.google.com/console/help/#generatingdevkeys and generated a new server key for this app

d) Now what? How do I use this with the v1-rev25-1.14.2-beta version of the google-api-services-groupssettings API and the "google-api-client" version 1.14.1-beta? The only options I see in any examples (which are only for oauth 2.0 mind you) are using this GoogleCredential object which is only centered around oauth 2.0, which according to (a) above, we can't use.

e) Given no examples or helpful info on using the API keys with this library, I decided to just try to wing it using an example for creating the Groupsettings object via oauth 2.0 and one of our special service accounts clientEmail and privatekey. In some respects I'm not sure why this would not work given that groups are not "user data" but seems like they should be able to be managed by this admin api account I am connecting with.

HttpTransport httpTransport = new NetHttpTransport();
JacksonFactory jsonFactory = new JacksonFactory();

GoogleCredential credential = new GoogleCredential.Builder()
  .setTransport(httpTransport)
  .setJsonFactory(jsonFactory)
  .setServiceAccountId("ourspecial_client_email@from.api.console")
  .setServiceAccountScopes(GroupssettingsScopes.APPS_GROUPS_SETTINGS)
  .setServiceAccountUser("my.special.admin.user@ourdomain.com")
  .setServiceAccountPrivateKeyFromP12File(
      new java.io.File("/path/to/privatekey"))
  .build();

Groupssettings service = new Groupssettings.Builder(httpTransport, jsonFactory, null)
  .setApplicationName("my API Integration")
  .setHttpRequestInitializer(credential).build();

Groups groups= service.groups().get("someexistingtestgroup@mydomain.com").execute();

Groups group = new Groups();
group.setWhoCanJoin("ALL_IN_DOMAIN_CAN_JOIN");
service.groups().patch("someexistingtestgroup@mydomain.com", group).execute();

When the code above executes, (the patch() call) I get back this error: (I also tried "update()" same result. What does this message mean?? Is this related to auth? or is this some invalid call in the update/patch?

{
"code" : 400,
"errors" : [ {
"domain" : "global",
"message" : "Permission denied: Cannot hide from Groups directory.",
"reason" : "invalid"
} ],

ALSO side note: Your "help" page states "Google engineers monitor and answer against the tag google-groups-settings." when posting here for help, but stackoverflow requires us to have XXXXX points in order to use it! Great, so nobody will see this.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
nebulize
  • 93
  • 1
  • 1
  • 4

1 Answers1

3

  • I would not recommend using Two Legged OAuth 1.0 authentication as it's been deprecated by Google.

  • You can use OAuth 2.0 Service Accounts with the Groups Settings API. Just follow the instructions in the Drive SDK domain-wide guide substituting groups settings where necessary. However, there's very little reason to do this as your app will still need to know the address of a Google Apps Super Administrator for the Service Account to impersonate in order to have access to Groups Settings API.

  • The best method for accessing the Groups Settings API is probably standard OAuth 2.0 authentication. You can authorize as the user account which has Super Admin access but with a scope of only the Group Settings API. If you request offline access for your OAuth authentication, you'll be able to perform Group Settings API calls as long as your token isn't revoked and the user accounts exists as a super admin.

  • The specific error you are getting means that in the Control Panel Settings for the Google Apps domain, under Settings -> Groups for Business -> Sharing Options -> Group Visibility, "Group owners can hide groups from the groups directory" is not checked. This prevents any groups from being hidden.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • Thanks for the response! Regarding the error I am getting, why would doing a patch or update for the group's "who can join" property be interpreted as trying to "hide" the group and trigger that error? – nebulize May 08 '13 at 19:38
  • interesting, just noticed now that that was not what your patch() call was changing. Is the group currently hidden? Can you try having it set the group to be unhidden with the same patch() call and see if that succeeds? It may be that if it's set to hidden and the global domain setting doesn't allow hiding, you have to unhide the group in order for the patch() call to succeed. – Jay Lee May 08 '13 at 20:16