电子邮件审核API-禁止使用403 [英] Email Audit API - 403 Forbidden

问题描述

我正在尝试使用电子邮件审核API下载用户的邮箱.我收到此代码的403禁止响应(错误发生在最后一行，对UploadPublicKey方法的调用):

I am trying to download a user's mailbox using the Email Audit API. I am getting a 403 Forbidden response to this code (the error occurs on the last line, the call to the UploadPublicKey method):

    var certificate = new X509Certificate2(System.Web.HttpRuntime.AppDomainAppPath + "key.p12", "notasecret", X509KeyStorageFlags.Exportable);

    ServiceAccountCredential credential = new ServiceAccountCredential(
       new ServiceAccountCredential.Initializer(serviceAccountEmail)
       {
           Scopes = new[] { "https://apps-apis.google.com/a/feeds/compliance/audit/" }
       }.FromCertificate(certificate));

    credential.RequestAccessTokenAsync(System.Threading.CancellationToken.None).Wait();
    DebugLabel.Text = credential.Token.AccessToken;

    var requestFactory = new GDataRequestFactory("My App User Agent");
    requestFactory.CustomHeaders.Add(string.Format("Authorization: Bearer {0}", credential.Token.AccessToken));

    AuditService aserv = new AuditService(strOurDomain, "GoogleMailAudit");
    aserv.RequestFactory = requestFactory;
    aserv.UploadPublicKey(strPublicKey);

我已经在开发人员控制台中创建了服务帐户，并授予了客户ID访问

I have created the service account in the Developers Console and granted the Client ID access to https://apps-apis.google.com/a/feeds/compliance/audit/ in the Admin console.

在我看来，该帐户应该具有所需的所有权限，但没有.知道我缺少什么吗?

Seems to me like the account should have all the permissions it needs, yet it doesn't. Any idea what I am missing?

推荐答案

好，所以我放弃了尝试使其与服务帐户一起使用的方法，即使那是Google的文档会导致您认为这是正确的方法做吧.通过电子邮件向Google支持小组发送电子邮件后，我了解到我可以将OAuth2用于在开发人员控制台上创建应用程序的超级用户帐户.

OK, so I gave up on trying to make it work with a service account even though that is what Google's documentation would lead you to believe is the correct way to do it. After emailing Google support, I learned I could just use OAuth2 for the super user account that created the application on the developer's console.

因此，我接着按照以下概述的过程来获取用于脱机访问的访问令牌(刷新令牌): 带有OAuth的Youtube API单用户方案(上传视频) 然后获取该刷新令牌并将其与以下代码配合使用:

So then I worked on getting an access token for offline access (a refresh token) by following the process outlined here: Youtube API single-user scenario with OAuth (uploading videos) and then taking that refresh token and using it with this code:

public static GOAuth2RequestFactory RefreshAuthenticate(){
OAuth2Parameters parameters = new OAuth2Parameters(){
    RefreshToken = "<YourRefreshToken>",
    AccessToken = "<AnyOfYourPreviousAccessTokens>",
    ClientId = "<YourClientID>",
    ClientSecret = "<YourClientSecret>",
    Scope = "https://apps-apis.google.com/a/feeds/compliance/audit/",
    AccessType = "offline",
    TokenType = "refresh"
};
OAuthUtil.RefreshAccessToken(parameters);
return new GOAuth2RequestFactory(null, "<YourApplicationName>", parameters);
}

这是此处的代码 https://stackoverflow.com/a/23528629/5215904 (除非我更改了倒数第二行...无论出于何种原因，共享的代码在我进行更改之前都无法起作用.

which is code from here https://stackoverflow.com/a/23528629/5215904 (Except I changed the second to last line... for whatever reason the code shared did not work until I made that change).

因此，我终于可以为自己获取访问令牌，该令牌使我可以访问Email Audit API.一旦我停止尝试弄乱服务帐户，一切就变得轻而易举.

So there I was finally able to get myself an access token that would allow me access to the Email Audit API. From there everything was a breeze once I stopped trying to mess around with a service account.

这篇关于电子邮件审核API-禁止使用403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！