当调用users().list()。execute()时,Google Directory API返回Not Authorized [英] Google Directory API returns Not Authorized when call users().list().execute()
问题描述
因此,我去了我的Google API控制台并启用了 Admin SDK ,并创建了服务帐户以调用Google API。我使用以下Google库
- google-api-services-admin-directory_v1-rev11-1.16.0-rc.jar
- google-api-client-1.16.0-rc.jar
我的代码是
/ *
* JSON工厂的全局实例。
* /
final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
/ *
HTTP传输的全局实例。
* /
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
集合< String> scopeList = new ArrayList<>();
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_USER);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER);
GoogleCredential凭证=新的GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(nnnnnn@developer.gserviceaccount.com )
.setServiceAccountScopes(scopeList)
.setServiceAccountPrivateKeyFromP12File(new File(/ Path / To / KeyFile / nnnnn-privatekey.p12))
// .setServiceAccountUser(admin @ mydomain .org)
.build();
Directory admin = new Directory.Builder(httpTransport,JSON_FACTORY,凭证)
.setApplicationName(Test)
.setHttpRequestInitializer(凭证).build();
用户users = admin.users()。list()。setDomain(mydomain.org)。execute();
我收到最后一行
<
{
code:403,
错误:[{
domain:global,
message:Not Authorized to access this resource / api,
reason:forbidden
}],
message:未授权访问此资源/ api
}
,位于com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException。 java:145)
,位于com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
位于com.google.api.client.googleapis.services。 json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
,位于com.google.api.client.googleapis.services.AbstractGoogleClientRequest $ 1.interceptResponse(AbstractGoogleClientRequest.java:312)
,位于com.google.api .client.http。 HttpRequest.execute(HttpRequest.java:1045)
,com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
,位于com.google.api.client。 googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
,位于com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
$ c $如果我取消注释评论行( .setServiceAccountUser(admin@mydomain.org)
),那么我得到一个不同的错误 线程maincom.google.api.client.auth.oauth2中的异常。 TokenResponseException:400错误请求
{
错误:access_denied
}
,位于com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java :105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com。 google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
,位于com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java :217)
,位于com.google.api.client.http.HttpRequest.execute(HttpRequest.java:858)
位于com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest .java:410)
,位于com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
位于com.google.api.client.googleapis.services.AbstractGoogleClientRequest .execute(AbstractGoogleClientRequest.java:460)
我的帐户(admin@mydomain.org)是一个<强>超级管理员。我怀疑需要为用户API范围授予服务帐户访问权限。但我无法找到我可以授予此权限的位置。我有我的Google CPanel的经典用户界面模式。我没有在高级工具中的管理客户端API访问权限页面。
另外我不确定我应该在 .setApplicationName( 测试)
。
感谢您的帮助
解决方案您可以转到管理控制台中的安全设置(admin.google.com/AdminHome?chromeless=1&pli=1#SecuritySettings :);然后点击高级设置>管理第三方OAuth客户端访问。之后,将您的客户端ID(在oath2的API访问下从appconsole code.google.com/apis/console生成)和一个或多个API范围映射。在那里使用逗号分隔的范围。对于google目录,您可以使用 https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user
希望它可以工作:)
I need to read the list of users (and groups) from my google domain.
So I went to my Google APIs Console and enabled Admin SDK and created a Service Account to call Google APIs. I use the following google libraries
- google-api-services-admin-directory_v1-rev11-1.16.0-rc.jar
- google-api-client-1.16.0-rc.jar
My code is
/*
* Global instance of the JSON factory.
*/
final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
/*
Global instance of the HTTP transport.
*/
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
Collection<String> scopeList = new ArrayList<>();
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_USER);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP);
scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER);
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("nnnnnn@developer.gserviceaccount.com")
.setServiceAccountScopes(scopeList)
.setServiceAccountPrivateKeyFromP12File(new File("/Path/To/KeyFile/nnnnn-privatekey.p12"))
// .setServiceAccountUser("admin@mydomain.org")
.build();
Directory admin = new Directory.Builder(httpTransport, JSON_FACTORY, credential)
.setApplicationName("Test")
.setHttpRequestInitializer(credential).build();
Users users = admin.users().list().setDomain("mydomain.org").execute();
And I receive this on the last line
Error
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Not Authorized to access this resource/api",
"reason" : "forbidden"
} ],
"message" : "Not Authorized to access this resource/api"
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:145)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:312)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1045)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
If I uncomment the commented line (.setServiceAccountUser("admin@mydomain.org")
) then I get a different error
Exception in thread "main" com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "access_denied"
}
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:858)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
My account (admin@mydomain.org) is a super administrator. I suspect the Service Account needs to be granted access for the users API scope. But I can not find where I can grant this access. I have a classic UI mode of my Google CPanel. And I don't have "Manage client API access" page in the Advanced tools.
Also I'm not sure what I should use as an Application Name at .setApplicationName("Test")
.
Thanks for any help
解决方案 you can go to "security" settings in the admin console (admin.google.com/AdminHome?chromeless=1&pli=1#SecuritySettings:); then click on advance settings > Manage third party OAuth Client access. After this map your client id(generated from appconsole code.google.com/apis/console under API access for oath2) and "One or More API Scopes". Use comma separated scopes as mentioned there. For google directory you can use https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user
Hope after this it works :)
这篇关于当调用users().list()。execute()时,Google Directory API返回Not Authorized的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!