带有G Suite帐户插入的Google日历获得403 [英] Google Calendar with G Suite account insert get 403
问题描述
我需要使用G Suite帐户插入包含环聊聚会的日历但我什至不能插入事件,我总是得到403响应
I need to use G Suite account to insert a calendar include a hangout meet but I can't even insert the event, I always get the 403 response
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "calendar",
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.",
"reason" : "forbiddenForServiceAccounts"
} ],
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
我使用GCP p12文件和服务帐户来制作日历.
I use the GCP p12 file and the service account to do the calendar.
我还单击启用G Suite域范围委派"框,并添加我的clientId和范围
I also click the Enable G Suite domain-wide delegation box and add my clientId and scope of
https://www.googleapis.com/auth/admin.directory.resource.calendar , https://www.googleapis.com/auth/calendar.events
在G Suite管理控制台上
at G Suite Admin console
可能是什么问题!?
顺便说一句,我是否需要设置OAuth同意屏幕!?我已经保存了它,但未得到Google的批准.
By the way, do I need to set the OAuth consent screen!? I already save it, but not been approve by google.
任何人都可以帮忙!
一开始,我通过以下代码获取凭据
In the begining I get credentials by the following code
credentials = new GoogleCredential.Builder().setTransport(httpTransport).setJsonFactory(JSON_FACTORY)
.setServiceAccountId(CalendarEntity.CALENDARID)
.setServiceAccountPrivateKeyFromP12File(new File(P12FILEPATH))
.setServiceAccountScopes(Collections.singleton(CalendarScopes.CALENDAR)).build();
然后我添加(我的G Suite帐户)
And then I add (my G Suite account)
.setServiceAccountUser("xxx@xxx.com.tw")
它的回应401未经授权我怎样才能解决这个问题?
it response 401 Unauthorized How can I slove this!? thx
推荐答案
您缺少模拟功能.
向服务帐户授予域范围的权限的目的是使这些帐户能够代表域中的用户访问数据.
The purpose of granting domain-wide authority to a Service Account is for these accounts to be able to access data on behalf of users in the domain.
如果您授予它整个域的权限,但没有模拟"任何帐户,则服务帐户的行为就好像您没有被授予此权限一样:它正在尝试访问自己的日历,云端硬盘文件等,或在这种情况下,尝试插入事件:服务帐户当前无法执行的操作,我想你已经知道了.
If you grant it domain-wide authority but are not "impersonating" any account, the Service Account is acting as if you hadn't granted this authority: it is trying to access its own Calendars, Drive files, etc., or in this case, trying to insert an Event: something which the Service Account cannot currently do, as I guess you already know.
当服务帐户模拟域中的另一个用户时(即,当它代表用户执行操作时),服务帐户可以访问该用户可以访问的资源.仅此而已.使委派有用的原因是它可以与域中的任何用户一起执行此操作.
When the Service Account impersonates another user in the domain (that is, when it acts on behalf of the user), the Service Account can access the resources this user can access. Nothing more, nothing less. What makes delegation useful is that it can do this with any user in the domain.
要模拟其他用户,您必须指定该用户的电子邮件地址.我不知道您正在使用哪个库(如果有),但是在此处,您将看到如何使用Python,Java和普通的HTTP/REST来模拟另一个用户.请参阅此答案如果您需要在Node.js库中执行此操作.如果要使用其他库,请在库文档中查找相应的方法.
To impersonate another user, you have to specify this user's email address. I don't know which library you are using, if any, but here you can see how to impersonate another user with Python, Java, and plain HTTP/REST. Refer to this answer if you need to do it in the Node.js library. If you are using another library, look for the corresponding method in the library documentation.
这篇关于带有G Suite帐户插入的Google日历获得403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
