请求的客户未经授权

时间:2014-05-27 11:30:38

标签: c# asp.net google-app-engine google-api google-apps

我正在尝试使用google service account从我的域中获取Google用户。

但它会抛出错误

Error:"access_denied", Description:"Requested client not authorized.", Uri:""

我的代码

X509Certificate2 certificate = new X509Certificate2(key_path,
                         "notasecret", X509KeyStorageFlags.Exportable);

ServiceAccountCredential credential = new ServiceAccountCredential(
           new ServiceAccountCredential.Initializer("publickey.gserviceaccount.com")
           {   Scopes = scopes,
               User = "admin@domain.com"
           }.FromCertificate(certificate));

var service = new DirectoryService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = "appname",
        });

service.Users.List().Domain = "domain.com";
Users results = service.Users.List().Execute();

提前致谢

3 个答案:

答案 0 :(得分:1)

服务帐户电子邮件地址需要访问域。接收电子邮件并将其添加为用户只需足够的访问权限就可以了解它。

你也发布了这个更改吗? 

"publickey.gserviceaccount.com"

服务帐户电子邮件看起来更像是这样:

539621478854-imkdv94bgujcom228h3ea33kmkoefhil@developer.gserviceaccount.com

答案 1 :(得分:0)

您需要先向您的服务帐户/ API项目授予对您的域的访问权限。 这里的文档中详述的步骤:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account

您需要在这些说明的第6步中指定所需的正确范围,https://www.googleapis.com/auth/admin.directory.user.readonly才能访问用户列表。

除了要使用Directory API之外,您还需要在域设置中启用API访问:https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites#set_up_api

答案 2 :(得分:0)

我终于能够让这个工作了。这是我的代码

        var grpReq = service.Groups.List();
        grpReq.Domain = "mydomain.com";
        Groups groups = grpReq.Execute();

        IList<Group> gps = groups.GroupsValue;

        var memReq=service.Members.List(groups.GroupsValue[0].Id);
        Members members = memReq.Execute();

我仍然不确定为什么创建一个var对象,然后Execute()使这个工作,但早期的代码不起作用。

我仍然遇到显示所有用户的同意屏幕的问题。我有以下代码。我认为我登录用户的电子邮件的方式不正确。有什么想法吗?

        string mymail = googleauth.GetUsersEmail(ExchangeCodeWithAccessAndRefreshToken().Access_Token);

        string path = "d:\\c6b82065f26fbb0-privatekey.p12";
        X509Certificate2 certificate = new X509Certificate2(
            path,
            "notasecret", X509KeyStorageFlags.Exportable);

        ServiceAccountCredential credential = new ServiceAccountCredential(
          new ServiceAccountCredential.Initializer("876131792-v824u6drpss@developer.gserviceaccount.com")
          {
              User = mymail,
              Scopes = new[] { PlusService.Scope.UserinfoEmail, PlusService.Scope.UserinfoProfile, PlusService.Scope.PlusMe }
          }.FromCertificate(certificate));


        PlusService plus = new PlusService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = "myapp"
        });

        Person profile = plus.People.Get("me").Execute();
        string email = profile.Emails[0].Value;
相关问题
最新问题