我正在尝试将googleapi 2.0与服务帐户一起使用目录gooogle admin sdk在一个域名用户上。 我按照建议继续(例如this)并准备了“希望工作”的poc java代码。
这样的事......
package com.mc3info.google.api20.test;
import java.io.File;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.Directory.Members;
import com.google.api.services.admin.directory.Directory.Users.Get;
import com.google.api.services.admin.directory.DirectoryScopes;
import com.google.api.services.admin.directory.Directory.Groups;
import com.google.api.services.admin.directory.Directory.Users;
import com.google.api.services.admin.directory.model.User;
public class TestUsersList {
public static void main(String[] args) {
try {
File f = new File("config/xxxxxxx-privatekey.p12");
System.out.println(f.getAbsolutePath());
ArrayList<String> scopes = new ArrayList<String>();
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_READONLY );
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER_READONLY);
scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER );
scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY );
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER_SECURITY);
HttpTransport myHttpTransport = new NetHttpTransport();
JsonFactory JSON_FACTORY = new JacksonFactory();
GoogleCredential credential = (new GoogleCredential.Builder()
.setTransport(myHttpTransport )
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("xxxxxxxxxxxx@developer.gserviceaccount.com")
.setJsonFactory(JSON_FACTORY)
.setServiceAccountPrivateKeyFromP12File(f )
.setServiceAccountScopes(scopes)
).build();
credential.refreshToken();
// String at = credential.getAccessToken();
String applicationName = "NYAPPLICATIONNAME";
Directory dir = new Directory.Builder(myHttpTransport, JSON_FACTORY, credential)
.setApplicationName(applicationName )
.setHttpRequestInitializer(credential)
.build();
com.google.api.services.admin.directory.Directory.Users.List ures = dir.users().list();
ures.setDomain("genericidoc.it");
ures.setOrderBy("email");
// ures.setSortOrder("ASCENDING");
// ures.setFields("users(agreedToTerms,changePasswordAtNextLogin,creationTime,customerId,deletionTime,etag,hashFunction,id,includeInGlobalAddressList,ipWhitelisted,isAdmin,isDelegatedAdmin,isMailboxSetup,kind,lastLoginTime,name,orgUnitPath,password,primaryEmail,suspended,suspensionReason,thumbnailPhotoUrl");
com.google.api.services.admin.directory.model.Users lures = ures.execute();
//HERE print all data
// for (){
// System.out.println("Utente : ");
// }
//
Groups grp = dir.groups();
com.google.api.services.admin.directory.model.Groups res = grp.list().execute();
// Directory.Members.List members = dir.members().list("someexisting email");
/*
* Values for getting GoogleCredential, found in the
* "Service account section" at:
* https://code.google.com/apis/console/#access
*/
// serviceAccountId from the "Email address" field.
// Name of group to get for testing the authentication
} catch (Throwable t) {
t.printStackTrace();
}
}
}
但收到403错误:
并且......是的,不应该刷新refreshToken()调用,但它确保我至少握手没问题......
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Not Authorized to access this resource/api",
"reason" : "forbidden"
} ],
"message" : "Not Authorized to access this resource/api"
}
答案 0 :(得分:1)
在using service accounts with Admin SDK for domain-wide delegation上查看Google的文档。
您没有提及,但您肯定需要从Google Apps控制台grant the service account's client id access to the Admin SDK scopes开始。
您的代码缺少像.setServiceAccountUser(userEmail)
这样的行,它允许服务帐户冒充您的Google Apps域中有权搜索目录的用户(可能是超级管理员用户)。