调用directory.user.update api需要哪些特权? [英] What privileges are required to call the directory.user.update api?
问题描述
我们的组织使用SAML将SSO集成到Google Apps中.为了使用SSO,我们必须通过API管理更改密码功能.由于不赞成使用Provisioning API,而推荐使用Admin SDK Directory API,因此我正在针对该API进行开发.
Our organization uses SAML for SSO into Google Apps. In order to use SSO we must manage the change password functionality through APIs. Since the Provisioning API has been deprecated in favor of the Admin SDK Directory API, I am developing against this API.
我正在开发的流程是最终用户将使用Google OAuth2登录到我的应用程序中.然后,我尝试使用用户访问令牌调用 https://www.googleapis .com/admin/directory/v1/users/ API放置新密码,但出现错误403未授权访问此资源/api".
The flow I am developing is that the end user will login using Google OAuth2 into my application. Then, using the users access token I am attempting to call the https://www.googleapis.com/admin/directory/v1/users/ API to put a new password, but I get an error 403 "Not Authorized to access this resource/api".
我的问题是,用户需要什么特权才能更新自己的密码?使用GET调用此API时,我能够成功检索我的用户信息,但是尝试输入新密码(或与此相关的任何其他字段)失败.
My question is, what privilege is required for the user to be able to update their own password? When calling this API with GET I am able to retrieve my user information successfully, but trying to put a new password (or any other field for that matter) fails.
以下是我的请求和回复的示例: 请求:
Here is an example of my request and response: Request:
PUT https://www.googleapis.com/admin/directory/v1/users/user%40domain.org?key={YOUR_API_KEY}
Content-Type: application/json
Authorization: Bearer ya29.AHES6ZT_7onp48edpClD72X-*************************
X-JavaScript-User-Agent: Google APIs Explorer
{
"password": "wlKsf.##2af"
}
响应:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
推荐答案
仅超级管理员,委派的管理员和代理商可以访问Admin SDK Directory API.
Only super admins, delegated admins and resellers can access the Admin SDK Directory API.
我建议创建一个只能通过API来更新用户的委派管理员,然后让您的Web应用程序使用为此委派管理员创建的OAuth令牌.
I suggest creating a delegated admin that only has access to update users via the API and then having your web application utilize an OAuth token created for this delegated admin.
这篇关于调用directory.user.update api需要哪些特权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
