AdminSettings API using service account auth/keyword failures - McMap

About

AdminSettings API using service account auth/keyword failures

Asked 5/1, 2016 at 14:21 Answered 4/2, 2016 at 21:41

Solved python-2.7 google-admin-sdk google-admin-settings-api

L

1

0

Trying to retreive domain number of users, 'GetCurrentNumberOfUsers()', using AdminSettings API via a Service Account in Python. Enabled delegation wide authority and scope, but getting errors. I have used service account for Calendar API, Directory API, EmailSettings API, but not working for AdminSettings. Tried sample code at: github.com/Khan/gdata-python-client/blob/master/samples/apps/adminsettings_example.py but get 'Authorization required' error while using correct credentials for admin account: API Client Acccess

from oauth2client.client import SignedJwtAssertionCredentials
import gdata.gauth
import gdata.apps.service
import gdata.apps.adminsettings.service

SERVICE_ACCOUNT_EMAIL = "XXXXXXXXXXXXX-ebirq08jvhldahbb482u8a1otu9n3l8p.apps.googleusercontent.com"
SERVICE_ACCOUNT_PKCS12_FILE_PATH = 'gapi_admin/privatekey.p12'
f = file(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'rb')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key, scope='https://apps-apis.google.com/a/feeds/domain/', sub='[email protected]')
auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
service = gdata.apps.adminsettings.service.AdminSettingsService(source="testApp", domain='xxxtestmail.edu')
service = auth2token.authorize(service)

print service.GetCurrentNumberOfUsers()

#output
#TypeError: new_request() takes exactly 1 non-keyword argument (2 given)

works fine in OAuth2 Playground, view Screenshot.

Logos answered 5/1, 2016 at 14:21 Comment(0)

S

0

The old GData Python library service objects don't actually support OAuth 2.0 which is what you need to be using. However you can hack a access token on there. Try something like:

credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key, scope='https://apps-apis.google.com/a/feeds/domain/', sub='[email protected]')
credentials.refresh(httplib2.Http())
service = gdata.apps.adminsettings.service.AdminSettingsService(source="testApp", domain='xxxtestmail.edu')
service.additional_headers[u'Authorization'] = u'Bearer {0}'.format(credentials.access_token)

print service.GetCurrentNumberOfUsers()

Serendipity answered 4/2, 2016 at 21:41 Comment(10)

I get 'Bearer None' returned. Works fine in Playgroud. I'm including a link to a Screenshot at postimg.org/image/kcr73m7y9 of OAuth playground results vs code execution. More help please? – Logos 5/2, 2016 at 16:30

forgot one step to refresh credentials so access token is populated. Try now. – Serendipity 5/2, 2016 at 17:5

Jay, you have been most helpful! It works now!! I hope others can benefit from your help and this work. Here is a screenshot of the result postimg.org/image/e5i8wnpid. – Logos 5/2, 2016 at 20:25

Is there any way to perform this in .Net? There's no such AdminSettingsService in any NuGet package. I can get a token after having sent the JWT assertion but any call to the API returns a 403 error: "You are not authorized to perform operations on the domain xxx". However, I'm not able to include the "sub" in JWT as I always get a Bad Request exception while inserting it. – Ovoviviparous 4/3, 2016 at 12:17

.Net is an entirely different beast and deserves its own question. – Serendipity 4/3, 2016 at 12:52

OK, just a last thing: I installed GAM trying to sniff with Fiddler how HTTP requests are made so that I can create them from my .Net app. So I used proxy settings to redirect data to Fiddler successfully but I face a SSL certificate issue which is logical as https only is used. Is there any way to disable certificate verification to make the sniff possible or is this a dead end? I'll create a separate question after that if necessary. – Ovoviviparous 4/3, 2016 at 14:45

No need to sniff traffic with GAM, just create a file called debug.gam in the same folder as gam.py or gam.exe and GAM will gladly print out all the traffic and headers it sends. – Serendipity 4/3, 2016 at 17:20

Thanks a lot, very useful trick. I used the same headers with no success but if I use your OAuth token, I get a valid answer. So, I suppose I cannot achieve this with a Service Account token, you probably use the Oauth client token for this API. I wasn't able to get debug traces for the 'oauth create' command to validate this but I suppose it's deliberate for security purposes. Thanks a lot again. – Ovoviviparous 7/3, 2016 at 11:20

This is going way off topic from original question. You should start a new question. – Serendipity 7/3, 2016 at 13:40

Done it there: #35849087. – Ovoviviparous 7/3, 2016 at 16:13

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.