问题
I'm trying to call the Google Apps Directory API so that I can list users to my organization's Google Apps Account
I have scoured for hours through their documentation and have been able to come up with the code below. However, I get the following error. Invalid Credentials [401] I suspect that it has to do with the way I constructed the ServiceAccountCredential
[STAThread]
static void Main(string[] args)
{
Console.WriteLine("Google Directory Service API");
Console.WriteLine("================================");
try
{
new Program().Run().Wait();
}
catch (AggregateException ex)
{
foreach (var e in ex.InnerExceptions)
{
Console.WriteLine("ERROR: " + e.Message);
}
}
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
private async Task Run()
{
using (var stream = new FileStream("../../client-secrets.json", FileMode.Open, FileAccess.Read))
using (var reader = new StreamReader(stream))
{
JObject clientJObject = JObject.Parse(reader.ReadToEnd());
var secrets = new ClientSecrets
{
ClientId = clientJObject.GetValue("client_id").ToString(),
ClientSecret = clientJObject.GetValue("private_key").ToString()
};
var tokenUrl = clientJObject.GetValue("token_uri").ToString();
var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(secrets.ClientId, tokenUrl).FromPrivateKey(secrets.ClientSecret));
var initializer = new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "My Directory Listing App",
};
var service = new DirectoryService(initializer);
var users = await service.Users.List().ExecuteAsync();
users.UsersValue.ToList().ForEach(u =>
{
Console.WriteLine(u.PrimaryEmail);
});
}
}
My Secrets.Json file is a bit like follows. I removed the majority of the private key part
{
"type": "service_account",
"project_id": "service.account",
"private_key_id": "fd6f98b603dd5a065c87a8d34a4e428cf6277a35",
"private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n",
"client_email": "service.account@appspot.gserviceaccount.com",
"client_id": "102588765356663060837",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service.account%40appspot.gserviceaccount.com"
}
回答1:
Administration
Step 1: Login to the Admin console
Step 2: Ensure API Access is enabled Security > Api Reference > Enable API Access
Step 3: Enable Google Apps Domain-wide Delegation
- Head over to the Dev Console
- Select the API Project
- Then go to
Credentials > Manage Service Accounts > "Edit Service Account" > Enable Google Apps Domain-wide Delegation "Go Back" > "View ClientID"- Copy the Client ID as you'll be needing that
Step 4: Register API Client and Scopes Security > Advanced Settings > Manage API client access
- Enter the client ID and a comma separated list of scopes (i.e. https://www.googleapis.com/auth/admin.directory.user)
- Then
Authorize
Step 5: Create Service Account Private Key
Create Credentials > Service Account Key > "Select Service Account" > P12 "For backward compatibility with code using the P12 format" > Close- This will automatically download the Key code to your system. Save this key as it is very important
The Code
First you need to install the following packages
install-package Google.Apis.Admin.Directory.directory_v1
install-package Newtonsoft.Json
And finally the code below
using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
using System;
using System.Linq;
using Google.Apis.Admin.Directory.directory_v1;
using System.Security.Cryptography.X509Certificates;
namespace GoogleApis
{
/// <summary>
/// This sample demonstrates the simplest use case for a Service Account service.
/// The certificate needs to be downloaded from the Google Developers Console
/// <see cref="https://console.developers.google.com/">
/// "Create another client ID..." -> "Service Account" -> Download the certificate,
/// rename it as "key.p12" and add it to the project. Don't forget to change the Build action
/// to "Content" and the Copy to Output Directory to "Copy if newer".
/// </summary>
public class Program
{
public static void Main(string[] args)
{
//Service account Email
//NOTE: This is the account for the Service Client
string serviceAccountEmail = "service.account@appspot.gserviceaccount.com";
//Path to Downloaded Key
var path = @"Path\To\key.p12";
//Generate a Certificate using the Key downloaded from the Api Console
var certificate = new X509Certificate2(path, "notasecret", X509KeyStorageFlags.Exportable);
//Create the Credential
ServiceAccountCredential serviceCredential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
//Define the Scopes You want the credential to Access
Scopes = new[]
{
DirectoryService.Scope.AdminDirectoryUser,
},
//Specify the User that this service Credential is Impersonating. Typically your Google Apps Admin Account
User = "admin@domain.com"
}.FromCertificate(certificate));
//Instantiate the Service (Could be any of the Google Api Services)
var service = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = serviceCredential,
});
// Define parameters of request.
UsersResource.ListRequest request = service.Users.List();
//Set the Domain of the Request
request.Domain = "domain.com";
// List users.
var users = request.Execute().UsersValue;
users.Select(u => u.PrimaryEmail).ToList().ForEach(Console.WriteLine);
Console.ReadKey();
}
}
}
来源:https://stackoverflow.com/questions/36864319/authentication-error-using-google-directory-api-from-c-sharp