Insufficient Permission: Request had insufficient authentication scopes in google directory API when logging through admin

Asked 11/2, 2020 at 19:50 Answered 10/11, 2021 at 14:59

Solved reactjs google-admin-sdk google-directory-api

I'm using google admin directory API to get all accounts public information using following API https://www.googleapis.com/admin/directory/v1/users

here is link for this api link when I logged in using g suite domain account let say [email protected] with non administrative user this api works fine and fetch the data of all accounts in array but When I call this API by logging in as admin it gives me following error /

Insufficient Permission: Request had insufficient authentication scopes

why its happening Im using same auth and API key for both users
my code is here

const token =localStorage.getItem('token')
 fetch(`https://www.googleapis.com/admin/directory/v1/users? 
 domain=${domain.url}&viewType=domain_public&key=${apiKey.key}`  
  ,{ headers: {
'authorization': 'Bearer '+token
  },})

  .then(response => response.json())
  .then(data => this.setState({ users:data.users }));

token is coming from this module npm react google login google sign in button

Constraint answered 11/2, 2020 at 19:50 Comment(9)

Hello @Asad, what scopes did you use for the request? Moreover, did you use any parameters for the request? – Shulem 12/2, 2020 at 10:46

Scope is set by default like first im logining with google auth then im sending two params view_type and domain here you can look developers.google.com/admin-sdk/directory/v1/reference/users/… @Shulem – Constraint 12/2, 2020 at 14:40

im sending my domain name domain.com and view_type = domain_public for non admin user – Constraint 12/2, 2020 at 14:41

with access token in header like this bearer xxxxx xxx is access token @Shulem – Constraint 12/2, 2020 at 18:43

Hello @Asad, how are you calling the API? What are you getting if you are using the OAuth 2.0 Playground with the same parameters as above? Cheers! – Shulem 13/2, 2020 at 14:12

Im first logging in through google sign in button , In response I'm getting access token and then Im sending this access token in header to call api with above 2 parameters @Shulem – Constraint 13/2, 2020 at 15:23

Im calling api with simple fetch method in reactjs – Constraint 13/2, 2020 at 15:29

Hey @Asad, have you tried the OAuth 2.0 Playground? What results are you getting? Cheers! – Shulem 14/2, 2020 at 15:25

iits working there :/ i have added scope https://www.googleapis.com/auth/admin.directory.user.readonly but when i add this scope to admin account it dont work while works for non admin user @Shulem – Constraint 14/2, 2020 at 17:10

It seems that the issue you are encountering is related to the way you are using the access token, more precisely in the way you use the scopes for the admin account in relation to the access token you have.

If the scopes you want to use with the two accounts don't match entirely, you will need to get another access token when you use the admin account.

So in order to solve your issue, you will have to get a new access token for the scopes you will be using for the admin account. You can declare them like this:

const SCOPES = ['https://www.googleapis.com/auth/admin.directory.user.readonly' 'OTHER_SCOPE_1' 'OTHER_SCOPE_2'...];

Same goes for the non-admin account; if the scopes don't match entirely, declare them like above and get another access token which will be the one matching them.

Reference

Authorizing Requests with OAuth 2.0

Shulem answered 17/2, 2020 at 16:54 Comment(2)

uh yes It was issue of scope and i was stuck in how to add in that react module, but I learnt it well still wondering how it works for non admin user thank you so much for your time :) @Shulem – Constraint 18/2, 2020 at 21:19

@Constraint you’re welcome and I’m glad to hear everything works as expected now :) – Shulem 18/2, 2020 at 21:24

with the help of @ale13 I came to know that I need to add scopo in react-module react google login

so I added following scope

https://www.googleapis.com/auth/admin.directory.user

and I still don't know how this works for non admin user without adding scope

Constraint answered 26/2, 2020 at 12:2 Comment(0)

Reason: During the instance creation in "Access scopes" you used the Default option need to choose the "Allow full access to all Cloud APis" option.

Once you already created do the steps:

*) stop the VM instance *) click in Edit , next in API access scopes select "Allow full access to all Cloud APis" and click in save *) Start instance and check please

Fenella answered 10/11, 2021 at 14:59 Comment(0)

Recommended topics

Hot tags