Google Admin API using Oauth2 for a Service Account (Education Edition) - 403 Error

Question

I'm having difficulties using Google new Admin SDK. In particular the Directory API using Oauth2. I think I'm almost there but I've got stuck trying to retrieve a users details using the Directory API (I'm using a Google Education Edition domain).

Basically what I'm trying to do is write a python script that provisions or de-provisions users based on their enrollment status which is managed by our AD. I've got a script that does this using Oauth1 but want to update it to use Oauth2.

Here is a code snippet based on some examples I found.

f = file('test_key.p12', 'rb')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials(
     '606346240424-10stfco1ukj9h4m4b4r40@developer.gserviceaccount.com',
     key,
     scope= 'https://www.googleapis.com/auth/admin.directory.user')
http = httplib2.Http()
http = credentials.authorize(http)
service = build(serviceName='admin', version='directory_v1', http=http)

lists = service.users().get(userKey='joe.blogs@mydomain.com').execute(http=http)
pprint.pprint(lists)

This piece of code appears to connect correctly but when I try to execute the query I get a 403 error.

ERROR: https://www.googleapis.com/admin/directory/v1/users/joe.blogs@mydomain.com?alt=json returned "Not Authorized to access this resource/api">

My first thought was because I haven't turned on this API on the administrators console (Google API's console) but I have. (Actually I turned on the Admin SDK and not the Directory API because there is no Directory API to turn on and seeing that it's part of the Admin SDK it would work?).

Is there another step I'm missing or have I made a silly mistake somewhere?

Did you figure this out? I wonder whether the Directory API (a.k.a. Admin SDK API), specifically, can be used with a service account and OAuth 2.0. (I know other APIs can.) I get the sense that it can with OAuth 1.0, but I haven't tried that yet. — Eric Walker, Nov 13 '13 at 04:17

score 6 · Accepted Answer · edited May 23 '17 at 11:58

Bruce,

you're pretty close.

Couple of items:

If you're using App Engine, need to convert p12 key to pem and strip header
Need to include user with super user credentials (who has permission to do these operations) whom you're impersonating (not the user who is being changed) using the sub= parameter

So full code will look a bit like this:

    # domain configuration settings
    import domainconfig

    f = file(domainconfig.KEY_FILE, "rb") # b reads file in binary mode; not strictly necessary, but safer to avoid strange Windows EOL characters: https://stackoverflow.com/questions/9644110/difference-between-parsing-a-text-file-in-r-and-rb-mode
    key = f.read()
    f.close()

    credentials = SignedJwtAssertionCredentials(

        domainconfig.SERVICE_ACCOUNT_EMAIL,
        key,
        scope = domainconfig.SCOPE, 
        sub=domainconfig.SUB_ACCOUNT_EMAIL # 'sub' supercedes the deprecated 'prn'

    )

    http = httplib2.Http()
    http = credentials.authorize(http)

    directoryservice = build("admin", "directory_v1", http=http)

    users = directoryservice.users()
    response = users.get(userKey='joe.blogs@mydomain.com').execute()

If one is using Ruby and Google's `Signet`, some modifications to the library are currently needed to impersonate an admin or a user with a delegated role; see: https://github.com/google/signet/pull/33 — Eric Walker, Dec 04 '13 at 16:15

score 0 · Answer 2 · answered Aug 27 '13 at 17:42

This should be of help: https://developers.google.com/drive/delegation

When asserting the credentials you need to connect it to the user that is going to be changed. From the link above, note this section:

credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
scope='https://www.googleapis.com/auth/drive', sub=user_email)

Google Admin API using Oauth2 for a Service Account (Education Edition) - 403 Error

2 Answers2

Linked