问题
I am trying to setup c# code to manage our Google domain.
I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.
Google.Apis.Requests.RequestError
Insufficient Permission [403]
Errors [
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]
I followed all the instructions on the OAuth setup. The account I am using is a domain admin.
The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.
Below is my code for querying users, is there anything I am missing?
static void Main(string[] args)
{
var applicationName = "App Project Name";
var userName = "admin@domain.com";
var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com";
UserCredential credential;
using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read))
{
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
userName,
CancellationToken.None, null).Result;
}
var service = new DirectoryService(new BaseClientService.Initializer()
{
ApplicationName = applicationName,
HttpClientInitializer = credential
});
var list = service.Users.List();
var users = list.Execute();
}
}
回答1:
2 options:
- You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
- Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.
Please update this thread if one of these options worked or something else is still missing for you.
回答2:
Scopes
It appears that you are trying this Quickstart:
- .NET Quickstart for Directory API
However, the scope(s) used in that tuturoial are:
new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };
However, in the code your posted code you have:
new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
Tokens
After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)
\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user
Enable APIs
Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)
Enable Directory API
Enable Gmail API
回答3:
Here is my working credentials code:
using (var stream =
new FileStream("client_secret.json", FileMode.Open, FileAccess.Read))
{
string credPath = System.Environment.GetFolderPath(
System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");
UserCredential credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
new string[] { CalendarService.Scope.Calendar },
"username@gmail.com",
CancellationToken.None,
new FileDataStore(credPath, true)).Result;
Console.WriteLine("Credential file saved to: " + credPath);
}
Make sure to Enable the API in the Console,
回答4:
The doc at url https://developers.google.com/gmail/api/quickstart/dotnet has scope set as static string[] Scopes = { GmailService.Scope.GmailReadonly }; set it as GmailService.Scope.MailGoogleCom and then continue with the flow as specified in the document.It was a bummer i was editing the scope in my token respnse file
来源:https://stackoverflow.com/questions/29953024/receiving-insufficient-permission-error-from-directoryservice