问题
I use the following code in a java web application to try to get all users of a group:
GoogleCredential credential = GoogleCredential.fromStream(Util.class.getResourceAsStream("[credential_file].json")).createScoped(SCOPES);
Directory directory = new Directory.Builder(httpTransport, JSON_FACTORY, credential).build();
Directory.Members dirMem = directory.members();
Members members = dirMem.list("[group_email]").execute();
This results in an exception 403 (Not authorized to access this resource/API) on the last line (dirMem.list...).
From the documentation (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) and other posts, I saw that the solution to this is to set a service account user with setServiceAccountUser().
However, this means that I have to use a p12 file instead of a json file (Google recommends using a json file when you create the key).
Is there any way to get around this issue while still using a json file (it also involves less code).
Thanks.
回答1:
For now, I am just using the p12 file as outlined here:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation
If anyone knows of a way to execute the code in this question with a json file, feel free to comment/answer.
回答2:
As JSON credentials is not supported serviceAccountUser I've done workaround: make credential copy.
See code here: https://stackoverflow.com/a/42313446/548473
回答3:
As suggested by this answer to a related question, including the sub (subject, I think) to indicate the email address of a delegated admin in your Google Apps account is a necessary step for the API calls to work. That delegated admin will also probably need to be authorized to access/modify the data or endpoints you are calling. Since my experience has been with the PHP client, not Java, I don't know the specifics of how you will provide that email address to the Java classes in use in your example.
回答4:
Here's the solution by setting the admin email with a JSON file:
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.DirectoryScopes;
import static com.google.api.client.googleapis.util.Utils.getDefaultJsonFactory;
import static com.google.api.client.googleapis.util.Utils.getDefaultTransport;
// ...
String ADMIN_EMAIL = "admin@company.com";
String jsonConfigFile = "/GSuite Integration.json";
List<String> scopes = Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER, DirectoryScopes.ADMIN_DIRECTORY_USERSCHEMA_READONLY);
GoogleCredential credential;
try (InputStream is = CredentialsWorkaroundTest.class.getResourceAsStream(jsonConfigFile)) {
credential = GoogleCredential.fromStream(is)
.createDelegated(ADMIN_EMAIL)
.createScoped(scopes);
}
Directory service = new Directory.Builder(getDefaultTransport(), getDefaultJsonFactory(), credential)
.setApplicationName(APPLICATION_NAME)
.build();
(Domain-wide delegation is not required)
Note - using google-api-client version 1.28.0
来源:https://stackoverflow.com/questions/39011470/google-admin-sdk-403-not-authorized-to-access-this-resource-api