Google Admin SDK 403 Not Authorized to Access this Resource/API

Asked 18/8, 2016 at 6:40 Answered 22/5, 2019 at 10:42

Solved google-api google-api-java-client google-admin-sdk google-oauth

I use the following code in a java web application to try to get all users of a group:

GoogleCredential credential = GoogleCredential.fromStream(Util.class.getResourceAsStream("[credential_file].json")).createScoped(SCOPES);

Directory directory = new Directory.Builder(httpTransport, JSON_FACTORY, credential).build();

Directory.Members dirMem = directory.members();
Members members = dirMem.list("[group_email]").execute();

This results in an exception 403 (Not authorized to access this resource/API) on the last line (dirMem.list...).

From the documentation (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) and other posts, I saw that the solution to this is to set a service account user with setServiceAccountUser(). However, this means that I have to use a p12 file instead of a json file (Google recommends using a json file when you create the key).

Is there any way to get around this issue while still using a json file (it also involves less code).

Thanks.

Spindrift answered 18/8, 2016 at 6:40 Comment(3)

You can use a service account json key file rather then the P12 service account jSon key file. Remember service account authentication code and Oauth2 authentication code are different. – Whiteside 18/8, 2016 at 6:45

Thanks. I did try to use a service account key file (generated by following the instructions here: developers.google.com/identity/protocols/…). It contains the fields: type: "service account", project_id, private_key_id, private_key, client_email, client_id, etc. Is this not the right json key file? Or is there something missing in my code above? – Spindrift 18/8, 2016 at 6:58

Sounds right to me. You are going to have to find an example for using the json file instead of the p12 file. And remember the service account needs to be authorized to access the data. Make sure you added it as a user on Google domain. Note: I am not a java programmer, and I don't have access to Google domain. I can only give you hints sorry. – Whiteside 18/8, 2016 at 7:21

For now, I am just using the p12 file as outlined here:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

If anyone knows of a way to execute the code in this question with a json file, feel free to comment/answer.

Spindrift answered 18/8, 2016 at 8:17 Comment(0)

As suggested by this answer to a related question, including the sub (subject, I think) to indicate the email address of a delegated admin in your Google Apps account is a necessary step for the API calls to work. That delegated admin will also probably need to be authorized to access/modify the data or endpoints you are calling. Since my experience has been with the PHP client, not Java, I don't know the specifics of how you will provide that email address to the Java classes in use in your example.

Pantomime answered 20/6, 2017 at 21:10 Comment(1)

Wow. I don't think this was anywhere in the tutorials and such. This worked for php by using $client->setSubject('[email protected]') – Turtledove 14/5, 2023 at 8:39

For now, I am just using the p12 file as outlined here:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

If anyone knows of a way to execute the code in this question with a json file, feel free to comment/answer.

Spindrift answered 18/8, 2016 at 8:17 Comment(0)

As JSON credentials is not supported serviceAccountUser I've done workaround: make credential copy.

See code here: https://mcmap.net/q/2034678/-google-directory-api-returns-not-authorized-when-call-users-list-execute

Adis answered 18/2, 2017 at 9:34 Comment(0)

Here's the solution by setting the admin email with a JSON file:

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.DirectoryScopes;
import static com.google.api.client.googleapis.util.Utils.getDefaultJsonFactory;
import static com.google.api.client.googleapis.util.Utils.getDefaultTransport;
// ...

String ADMIN_EMAIL = "[email protected]";
String jsonConfigFile = "/GSuite Integration.json";
List<String> scopes = Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER, DirectoryScopes.ADMIN_DIRECTORY_USERSCHEMA_READONLY);

GoogleCredential credential;
try (InputStream is = CredentialsWorkaroundTest.class.getResourceAsStream(jsonConfigFile)) {
    credential = GoogleCredential.fromStream(is)
        .createDelegated(ADMIN_EMAIL)
        .createScoped(scopes);
}

Directory service = new Directory.Builder(getDefaultTransport(), getDefaultJsonFactory(), credential)
        .setApplicationName(APPLICATION_NAME)
        .build();

(Domain-wide delegation is not required)

Note - using google-api-client version 1.28.0

Eminence answered 22/5, 2019 at 10:42 Comment(0)

Recommended topics

Hot tags