如何授权服务帐户访问Google Admin API [英] How to authorise a service account to access the Google Admin API
问题描述
我们正在尝试与Google Admin SDK集成,以便能够在我们的域内检索,更新和创建帐户.但是,我们不断收到403错误,表明我们无权访问资源/api.
We are trying to create an integration with the Google Admin SDK in order to be able to retrieve, update and create accounts within our domain. However, we keep receiving a 403 error indicating that we are not authorized to access the resource/api.
我们正在使用从服务帐户获得的凭据,该服务帐户已启用域范围的授权并具有以下两个作用域: https://www.googleapis.com/auth/admin.directory.user.只读, https://www.googleapis.com/auth/admin.目录.用户.我们正在生成JWT(还包括这两个范围),然后将请求发送到 https://www.googleapis.com/oauth2/v4/token 来获取访问令牌.
We are using the credentials obtained from a service account which has Domain-wide Delegation of Authority enabled and the following two scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user. We are generating the JWT (which also includes these two scopes) and then sending a request to https://www.googleapis.com/oauth2/v4/token to retrieve the access token.
然后,我们使用访问令牌将请求发送到 https://www.googleapis.com/admin/directory/v1/users?domain=XXXX.com .我们将访问令牌作为Bearer令牌包括在标头中. 在响应中,我们收到以下消息:
We are then using the access token to send a request to https://www.googleapis.com/admin/directory/v1/users?domain=XXXX.com. We are including the access token as a Bearer token, part of the headers. In the response we are getting the following message:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
是否有可能弄清楚我们做错了什么?
Is it possible to clarify what are we doing incorrectly?
推荐答案
问题是JWT必须包含sub字段:应用程序正在请求其委派访问权限的用户的电子邮件地址.
The problem was that the JWT must include the sub field: The email address of the user for which the application is requesting delegated access.
这篇关于如何授权服务帐户访问Google Admin API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
