4

I need some help as I'm really stuck!!!! I have spent days and hours on this one but I can't figure it. I have searched all possible forums and other similar posts without any success.

So, the requirement :

We are trying to integrate Classroom API on our .Net platforms. The tricky part is that they want to use service accounts.

The problem :

Google.Apis.Requests.RequestError The caller does not have permission [403] The caller does not have permission] Location[ - ] Reason[forbidden] Domain[global]

I have followed the documentation as shown in :

https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

I understand that we need to set up a service account in the Google API Console, so I've done the following:

1) I have created a service account and enabled G Suite Domain-wide Delegation in the Google API Console

2) In the Admin Console, in Manage API Client Access, I have entered the service account's client id and have enabled scopes.

3) A have downloaded the json file with all the service account credentials (private key, email)

and the code...

ServiceAccountCredential credential = new ServiceAccountCredential(
 new ServiceAccountCredential.Initializer(cr.client_email)
           {
               Scopes = new[] { ClassroomService.Scope.ClassroomCourses },

           }.FromPrivateKey(cr.private_key));

        // Create the service.
        service = new ClassroomService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = "Demo-School",
        });

and the actual call to the Classroom API to create a course :

var resource = service.Courses.Create(course);
var result = await resource.ExecuteAsync();

So, despite all that, whenever i try to create a course, I get the above error.

When I try to create a Course using the Reference page (https://developers.google.com/classroom/reference/rest/v1/courses/create) it works fine. I can create courses, teachers, set permissions etc..

But when I try to do that programmatically.. i.e from a console app, there is NO way I can get it working.

Can ANYONE please advice???????What am I missing??

Veronica_Zotali
  • 253
  • 1
  • 3
  • 13
  • Did you get somewhere on this issue? I'm fighting this exact same scenario. Thanks – Johann Pérez Aug 29 '19 at 18:47
  • There is something I found regarding this issue, are you using a .Net library like the one above? if that's the case, there might be a possibility that the token we get is not "valid", so even though we clear authentication , we do get a 403. Check this one https://support.google.com/business/thread/1856166?msgid=1856166# – Veronica_Zotali Aug 31 '19 at 07:11
  • We obviously use a .Net library for that as shown in https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth but maybe its better to call directly the the Google OAuth server via an HttpClient instance and handle the token ourselves. I haven't tried it it yet but this is the next thing I will be trying soon. I had to park it for some time but I will need to revisit this as its blocking my work. Maybe we can help one another! – Veronica_Zotali Aug 31 '19 at 07:17
  • It is a good hint, as I'm also using .Net library. I'll give it a go and let you know! It's blocking mine as well so, yes let's get it done :D – Johann Pérez Sep 02 '19 at 13:49
  • Veronica we were able to make it work but only by impersonating someone from the domain: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegate-domain-wide-authority_1 We couldn't do something that access across all google classrooms in our domain, but we couldn't do that for an actual user using the google classroom's web and found several forums saying that it is not possible. – Johann Pérez Sep 20 '19 at 00:04

0 Answers0