Question

我正在尝试编写一个调用Google Directory Admin API的服务器进程，以确定我域中给定用户的组成员身份。

具有以下范围...... https://www.googleapis.com/auth/admin.directory.group.readonly

...此调用在API Playground中起作用（返回200）： GET /admin/directory/v1/groups?userKey=my.user@mydomain.com HTTP/1.1

但是，我无法在操场外获得授权。

我做了以下事情：

（1）在Google Developers Console中为“启用的API”添加了“Admin SDK”

（2）在Google Developers Console中为我的应用创建了“服务帐户”

（3）针对此服务帐户选中了“启用Google Apps域范围的委派”

（4）检查此服务帐户的“提供新私钥”

（5）下载此服务帐户的JSON凭据

（6）在“admin.google.com”中 - ＆gt;安全 - ＆gt;高级设置 - ＆gt;身份验证 - ＆gt;管理API客户端访问，我已添加在“客户端名称”字段中输入我的服务帐户的（数字）ClientID，并在“一个或多个API范围”字段中输入以下范围并按下授权：https://www.googleapis.com/auth/admin.directory.group.readonly

但是，使用以下Ruby代码，授权失败（Google::Apis::ClientError: forbidden: Not Authorized to access this resource/api）：

require 'google/apis/admin_directory_v1'
require 'googleauth'
ENV['GOOGLE_APPLICATION_CREDENTIALS'] = 'secrets.json'
scope = [ 'https://www.googleapis.com/auth/admin.directory.group.readonly' ]
authorization = Google::Auth.get_application_default(scope)
service = Google::Apis::AdminDirectoryV1::DirectoryService.new
service.authorization = authorization
response = service.list_groups(user_key: 'my.user@mydomain.com, domain: "mydomain.com")

（下面粘贴了irb会话）

请注意，此处已更改用户和域以进行编辑。另请注意，如果未提供domain，则会引发Google::Apis::ClientError: notFound: Domain not found.。

irb session如下：

irb(main):001:0> require 'google/apis/admin_directory_v1'
=> true
irb(main):002:0> require 'googleauth'
=> false
irb(main):003:0> ENV['GOOGLE_APPLICATION_CREDENTIALS'] = 'secrets.json'
=> "secrets.json"
irb(main):004:0> scope = [ 'https://www.googleapis.com/auth/admin.directory.group.readonly' ]
=> ["https://www.googleapis.com/auth/admin.directory.group.readonly"]
irb(main):005:0>  authorization = Google::Auth.get_application_default(scope)
=> #<Google::Auth::ServiceAccountCredentials:0x0000000238b1a0 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x11c55ec URI:https://www.googleapis.com/oauth2/v3/token>, @client_id=nil, @client_secret=nil, @code=nil, @expires_at=nil, @expires_in=nil, @issued_at=nil, @issuer="service-acct-test@test-1186.iam.gserviceaccount.com", @password=nil, @principal=nil, @redirect_uri=nil, @scope=["https://www.googleapis.com/auth/admin.directory.group.readonly"], @state=nil, @username=nil, @expiry=60, @audience="https://www.googleapis.com/oauth2/v3/token", @signing_key=#<OpenSSL::PKey::RSA:0x0000000238b218>, @extension_parameters={}, @additional_parameters={}>
irb(main):006:0> service = Google::Apis::AdminDirectoryV1::DirectoryService.new
=> #<Google::Apis::AdminDirectoryV1::DirectoryService:0x000000023dbdd0 @root_url="https://www.googleapis.com/", @base_path="admin/directory/v1/", @upload_path="upload/admin/directory/v1/", @batch_path="batch", @client_options=#<struct Google::Apis::ClientOptions application_name="unknown", application_version="0.0.0", proxy_url=nil, use_net_http=false>, @request_options=#<struct Google::Apis::RequestOptions authorization=nil, retries=0, header=nil, timeout_sec=nil, open_timeout_sec=20>>
irb(main):007:0> service.authorization = authorization
=> #<Google::Auth::ServiceAccountCredentials:0x0000000238b1a0 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x11c55ec URI:https://www.googleapis.com/oauth2/v3/token>, @client_id=nil, @client_secret=nil, @code=nil, @expires_at=nil, @expires_in=nil, @issued_at=nil, @issuer="service-acct-test@test-1186.iam.gserviceaccount.com", @password=nil, @principal=nil, @redirect_uri=nil, @scope=["https://www.googleapis.com/auth/admin.directory.group.readonly"], @state=nil, @username=nil, @expiry=60, @audience="https://www.googleapis.com/oauth2/v3/token", @signing_key=#<OpenSSL::PKey::RSA:0x0000000238b218>, @extension_parameters={}, @additional_parameters={}>
irb(main):008:0> response = service.list_groups(user_key: 'my.user@mydomain.com, domain: "mydomain.com")
Google::Apis::ClientError: forbidden: Not Authorized to access this resource/api
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:202:in `check_status'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/api_command.rb:103:in `check_status'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:170:in `process_response'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:275:in `execute_once'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:107:in `block (2 levels) in execute'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:54:in `block in retriable'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `times'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `retriable'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:104:in `block in execute'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:54:in `block in retriable'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `times'
    from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `retriable'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:96:in `execute'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/base_service.rb:267:in `execute_or_queue_command'
    from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/generated/google/apis/admin_directory_v1/service.rb:943:in `list_groups'
    from (irb):8
    from /usr/bin/irb:12:in `<main>'irb(main):009:0>

Answer 1

你错过了一个电话 authorization.fetch_access_token! 在调用服务之前，如API client docs。

中所述

无法授权Google Directory Admin API调用

1 个答案: