Requested client not authorized

Question

I am trying to get google users from my domain using google service account.

But it throws error

Error:"access_denied", Description:"Requested client not authorized.", Uri:""

My code

X509Certificate2 certificate = new X509Certificate2(key_path,
                         "notasecret", X509KeyStorageFlags.Exportable);

ServiceAccountCredential credential = new ServiceAccountCredential(
           new ServiceAccountCredential.Initializer("publickey.gserviceaccount.com")
           {   Scopes = scopes,
               User = "admin@domain.com"
           }.FromCertificate(certificate));

var service = new DirectoryService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = "appname",
        });

service.Users.List().Domain = "domain.com";
Users results = service.Users.List().Execute();

Thanks in advance

Answer 1

The service account email address needs to have access the domain. Take the email and add it as a user just enough access that it can read should be good.

Also did you change this for posting?

"publickey.gserviceaccount.com"

A service account email looks more like this:

539621478854-imkdv94bgujcom228h3ea33kmkoefhil@developer.gserviceaccount.com

Answer 2

You need to give your service-account/API project access to your domain first. Steps detailed in the docs here:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account

You need to specify the correct scopes you need in step 6 of those instructions, which would be https://www.googleapis.com/auth/admin.directory.user.readonly to access the list of users.

In addition for the Directory API to work you need to enable API access in the domain settings: https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites#set_up_api

Answer 3

I was finally able to get this working. Here is the code I have

        var grpReq = service.Groups.List();
        grpReq.Domain = "mydomain.com";
        Groups groups = grpReq.Execute();

        IList<Group> gps = groups.GroupsValue;

        var memReq=service.Members.List(groups.GroupsValue[0].Id);
        Members members = memReq.Execute();

I am still not sure why creating a var object and then Execute() got this to work but the earlier code didn't work.

I still have the problem of the consent screen showing up for all users. I have the following code. I think the way I get the logged in user's email is incorrect. Any ideas?

        string mymail = googleauth.GetUsersEmail(ExchangeCodeWithAccessAndRefreshToken().Access_Token);

        string path = "d:\\c6b82065f26fbb0-privatekey.p12";
        X509Certificate2 certificate = new X509Certificate2(
            path,
            "notasecret", X509KeyStorageFlags.Exportable);

        ServiceAccountCredential credential = new ServiceAccountCredential(
          new ServiceAccountCredential.Initializer("876131792-v824u6drpss@developer.gserviceaccount.com")
          {
              User = mymail,
              Scopes = new[] { PlusService.Scope.UserinfoEmail, PlusService.Scope.UserinfoProfile, PlusService.Scope.PlusMe }
          }.FromCertificate(certificate));


        PlusService plus = new PlusService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = "myapp"
        });

        Person profile = plus.People.Get("me").Execute();
        string email = profile.Emails[0].Value;