2

Having implemented oauth2.0 and done a handshake using the scopes:

"https://www.googleapis.com/auth/userinfo.email ",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/admin.directory.user ",
"https://www.googleapis.com/auth/admin.directory.group ",
"https://www.googleapis.com/auth/admin.directory.orgunit ",

I get back a token

the request

$ curl -X GET  https://www.googleapis.com/oauth2/v1/userinfo?access_token=<Token>
{
 "id": "{id}",
 "email": "{email}",
 "verified_email": true,
 "name": "{name}",
 ...
}

as it should.

however a requst to the admin.directory.user namespace does not succeed:

$ curl -X GET https://www.googleapis.com/admin/directory/v1/users?access_token=<Token>
{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "badRequest",
    "message": "Bad Request"
   }
  ],
  "code": 400,
  "message": "Bad Request"
 }
}

Any good ideas to why this is?

The request to admin.directory.users is constructed from https://developers.google.com/admin-sdk/directory/v1/reference/#Users

Benyamin Jafari
  • 27,880
  • 26
  • 135
  • 150
Martin Kristiansen
  • 9,875
  • 10
  • 51
  • 83

3 Answers3

2

You need to specify either the domain (to get fields from only one domain) or the customer (to return all domains for a customer account).

I filed a bug to make more clear that is required to provide one of the two parameters.

Silvano
  • 1,005
  • 6
  • 6
  • Thanks Silvano, I guess from your location that your my inside man, just a heads up every internal link on https://developers.google.com/google-apps/marketplace/sso#gs are dead. - making it rather hard to "get started" – Martin Kristiansen Sep 11 '13 at 15:11
2

I had the same problem retrieving all users through https://www.googleapis.com/auth/admin.directory.user endpoint. According to the documentation, you could do that in a specific domain by passing the domain as a parameter or get all existing users by passing the customer=my_customer parameter as follows:

  • Retrieve all users in a domain doc: https://www.googleapis.com/auth/admin.directory.user?domain=example.com

or

  • Retrieve all account users doc: https://www.googleapis.com/auth/admin.directory.user?customer=my_customer

In google playground oauth2 also you can test the above stuff by selecting Admin SDK API directory_v1 and auth/admin.directory.user.readonly to authorize the respective scope, then call the above requests.

Note that, you may need to get access to google playground within your google admin dashboard under the security apps section.

Benyamin Jafari
  • 27,880
  • 26
  • 135
  • 150
1

At the very least, you need to include the Content-Type header:

curl -X GET -H "Content-Type: application/json" https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&access_token=<Token>

For a full script that implements this API with CURL and BASH see this answer.

Note that the documentation is currently incorrect because it lists customer as an optional parameter when it is in fact required.

Community
  • 1
  • 1
Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • the content type didn't really change a thing :) – Martin Kristiansen Sep 09 '13 at 20:26
  • 1
    try the rest of the parameters from my script then. – Jay Lee Sep 09 '13 at 20:33
  • 1
    updated answer to note that customer attribute is required, not optional. The docs are currently wrong about this. – Jay Lee Sep 10 '13 at 14:00
  • I would have to say that the docs from google are ... lacking to say the least, most of the information refers to dead links and other things of that nature. – Martin Kristiansen Sep 10 '13 at 17:39
  • I tried your script, and when visiting the link I got "The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI" and the app console did not accept adding urn:ietf:wg:oauth:2.0:oob – Martin Kristiansen Sep 10 '13 at 18:18
  • It sounds like you switched to using your own API key and it's not a key from an installed application. Try using the key/secret already in the source, it's for an installed application. – Jay Lee Sep 10 '13 at 20:21
  • The settings already in the file break completely with "Invalid Credentials" – Martin Kristiansen Sep 10 '13 at 20:45
  • did you delete the cached ~/ – Jay Lee Sep 10 '13 at 20:54