I am trying to setup c# code to manage our Google domain.
I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.
Google.Apis.Requests.RequestError
Insufficient Permission [403]
Errors [
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]
I followed all the instructions on the OAuth setup. The account I am using is a domain admin.
The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.
Below is my code for querying users, is there anything I am missing?
static void Main(string[] args)
{
var applicationName = "App Project Name";
var userName = "admin@domain.com";
var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com";
UserCredential credential;
using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read))
{
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
userName,
CancellationToken.None, null).Result;
}
var service = new DirectoryService(new BaseClientService.Initializer()
{
ApplicationName = applicationName,
HttpClientInitializer = credential
});
var list = service.Users.List();
var users = list.Execute();
}
}
2 options:
- You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
- Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.
Please update this thread if one of these options worked or something else is still missing for you.
Scopes
It appears that you are trying this Quickstart:
However, the scope(s) used in that tuturoial are:
new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };
However, in the code your posted code you have:
new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
Tokens
After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)
\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user
Enable APIs
Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)
Here is my working credentials code:
using (var stream =
new FileStream("client_secret.json", FileMode.Open, FileAccess.Read))
{
string credPath = System.Environment.GetFolderPath(
System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");
UserCredential credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
new string[] { CalendarService.Scope.Calendar },
"username@gmail.com",
CancellationToken.None,
new FileDataStore(credPath, true)).Result;
Console.WriteLine("Credential file saved to: " + credPath);
}
Make sure to Enable the API in the Console,
The doc at url https://developers.google.com/gmail/api/quickstart/dotnet has scope set as static string[] Scopes = { GmailService.Scope.GmailReadonly }; set it as GmailService.Scope.MailGoogleCom and then continue with the flow as specified in the document.It was a bummer i was editing the scope in my token respnse file
来源:https://stackoverflow.com/questions/29953024/receiving-insufficient-permission-error-from-directoryservice