问题
- Library : google-api-services-admin-directory_v1-rev11-1.16.0-rc.jar
- API Console : Service Account
- Domain 3rd party OAuth Client Access Setting https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user
Getting users list is work, but groups list return error (access_denied)
Source
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_USER);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER);
credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId("xxxxx@developer.gserviceaccount.com")
.setServiceAccountScopes(scopeList)
.setServiceAccountPrivateKeyFromP12File(new java.io.File("xxxxx-privatekey.p12"))
.setServiceAccountUser("admin@test.com")
.build();
Directory admin = new Directory.Builder(httpTransport, jsonFactory, credential)
.setApplicationName("Test")
.setHttpRequestInitializer(credential).build();
admin.users().list().setDomain("test.com").execute();
admin.groups().list().setDomain("test.com").execute();
Error
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "access_denied"
}
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:332)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:352)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:454)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:215)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:854)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
回答1:
Is the Service Account granted access for the groups API scope? (https://www.googleapis.com/auth/admin.directory.group or https://www.googleapis.com/auth/admin.directory.group.readonly). See the Google Drive docs for details on how to do this)
Is the ServiceAccountUser a super administrator or is he a delegated admin that has been granted rights to manage groups via API?
来源:https://stackoverflow.com/questions/18375978/google-directory-api-return-access-denied-when-call-groups-list-execute