0

I have a G Suite service account with domain-wide delegation enabled, and I want to impersonate a user on the domain. However, every attempt of mine to do so has been met with an error saying that I am unauthorised. Has anyone experienced this and might know what is going on?

I have followed these instructions, and these too. I created a new service account, (as mentioned) enabled DwD, and added the necessary scopes in the Admin console: https://mail.google.com https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/admin.reports.audit.readonly

(Also, the domain is verified.)

From there, I have attempted to authorise this account in the NodeJS client using the following code:

const {google} = require('googleapis');
const fs = require('fs');
const auth = JSON.parse(fs.readFileSync('xxx.json'));

const jwt = new google.auth.JWT(
    auth.client_email, 
    null, 
    auth.private_key, 
    [
        'https://mail.google.com/',
        'https://www.googleapis.com/auth/gmail.settings.sharing',
        'https://www.googleapis.com/auth/gmail.settings.basic',
        'https://www.googleapis.com/auth/admin.reports.audit.readonly'
    ],
    'user@domain.com'
);

jwt.authorize((err, res) => {
    if (err) console.log(err);
    else console.log(res);
});

If I remove user@domain.com and try to authorise without impersonating an email, it works; I receive an access token. However, for my purposes I need to be able to impersonate, which if I try to do, I get a 401 with the following message:

GaxiosError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

As far as I can tell, the service account should be authorised to impersonate users on the domain. Does anyone know why this might be happening?

btdrawer
  • 1
  • 1
  • 1) Show a complete example, the APIs you are calling make a difference. 2) I recommend using an OAuth Access Token instead of a signed JWT. 3) Do you really need the scope `'https://mail.google.com/`? 4 Start with something simpler like send email and the `gmail.send` scope 5) Is the G Suite account a Super Admin and you have logged into G Suite, accepts TOS, etc? 6) Edit your question and improve with these questions. – John Hanley Sep 03 '19 at 16:43
  • Tip: In following the steps in your first link if you get any item wrong the impersonation will not work. I would delete the service account and start over. I would also use one of the code examples that work to verify that you have the SA setup correctly. – John Hanley Sep 03 '19 at 16:44
  • Hi @JohnHanley, thank you for your replies. It turns out that my problem was a rather stupid one: When I entered my scopes in the Google admin console, I had separated them with spaces, whereas they **should** be separated with commas, e.g., 'https://mail.google.com, https://...' – btdrawer Sep 04 '19 at 12:09

1 Answers1

0

In the end, it was me being stupid. In the admin console, I had been separating my scopes with spaces, whereas in fact they should be separated with commas: 'https://mail.google.com, https://...'

btdrawer
  • 1
  • 1