admin管理员组文章数量:1334148
I am using Google Directory API .NET Client to fetch a list of roles in a domain ().
I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:
var initializer = new BaseClientService.Initializer
{
ApplicationName = "GoogleConnector",
HttpClientInitializer = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
)
};
var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();
Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:
- User Management
- Groups Reader
- Service Admin
Also, the next request scopes have been added:
- .directory.rolemanagement
- .directory.rolemanagement.readonly
The api starts failing with the below error:
Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]
EDIT (after the comment about missing delegation to a domain user)
I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes:
Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.
The issue only is with the roles.list method.
Any help is appreciated.
I am using Google Directory API .NET Client to fetch a list of roles in a domain (https://developers.google/admin-sdk/directory/reference/rest/v1/roles/list).
I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:
var initializer = new BaseClientService.Initializer
{
ApplicationName = "GoogleConnector",
HttpClientInitializer = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
)
};
var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();
Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:
- User Management
- Groups Reader
- Service Admin
Also, the next request scopes have been added:
- https://www.googleapis/auth/admin.directory.rolemanagement
- https://www.googleapis/auth/admin.directory.rolemanagement.readonly
The api starts failing with the below error:
Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]
EDIT (after the comment about missing delegation to a domain user)
I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes:
Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.
The issue only is with the roles.list method.
Any help is appreciated.
Share Improve this question edited Nov 22, 2024 at 16:20 Linda Lawton - DaImTo 117k39 gold badges224 silver badges499 bronze badges asked Nov 20, 2024 at 15:10 NolikNolik 1412 gold badges5 silver badges17 bronze badges 5 |1 Answer
Reset to default 0You need to pass the full credentials.json as well as an admin user with access. This is my sample for creating a user you should just be able to change the scope and the method it calls.
using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Services;
Console.WriteLine("Hello, Google Calendar Workspace sample!");
var scopes = new[] { DirectoryService.Scope.AdminDirectoryUser };
const string workspaceAdmin = "[email protected]";
const string credentials = @"C:\Development\Credentials\workspaceserviceaccount.json";
var credential = GoogleCredential.FromFile(credentials).CreateScoped(scopes).CreateWithUser(workspaceAdmin);
var services = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
});
var request = services.Users.List();
request.Customer = "my_customer";
request.MaxResults = 10;
request.OrderBy = UsersResource.ListRequest.OrderByEnum.Email;
var results = request.Execute();
var users = results.UsersValue;
if (users.Count == 0)
{
Console.WriteLine("No Users");
return;
}
Console.WriteLine("Users:");
foreach (var user in users)
{
Console.WriteLine($"{user.PrimaryEmail} ({user.Name.FullName})");
}
版权声明:本文标题:c# - Google Directory API - 403 [Not Authorized to access this resourceapi] for Method: roles.list - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742351311a2458549.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
https://www.googleapis/auth/admin.directory.rolemanagementandhttps://www.googleapis/auth/admin.directory.rolemanagement.readonly(Based from the article)? – Gyul Commented Nov 20, 2024 at 17:29