401尝试使用Google API创建组织时

Question

我尝试使用Google的Admin SDK使用shell脚本创建orgunit。我的脚本如下：

# Obtain a token we can use to modify the organisation
auth_header=`oauth2l header --json "..." "admin.directory.orgunit"`
customer_id=...

curl -v -H "Content-Type: application/json" -X POST \
    --data-binary "@google-orgunits/technical.json" \
    --header "$auth_header" \
    "https://www.googleapis.com/admin/directory/v1/customer/$customer_id/orgunits"

这会产生输出：

*   Trying 216.58.196.138...
* Connected to www.googleapis.com (216.58.196.138) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 704 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    common name: *.googleapis.com (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.googleapis.com
*    start date: Wed, 05 Apr 2017 17:01:30 GMT
*    expire date: Wed, 28 Jun 2017 16:56:00 GMT
*    issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
*    compression: NULL
* ALPN, server accepted to use http/1.1
> POST /admin/directory/v1/customer/.../orgunits HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer ...
> Content-Length: 157
> 
* upload completely sent off: 157 out of 157 bytes
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/", error=invalid_token
< Content-Type: application/json; charset=UTF-8
< Date: Sat, 15 Apr 2017 06:26:27 GMT
< Expires: Sat, 15 Apr 2017 06:26:27 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
< 
{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "required",
    "message": "Login Required",
    "locationType": "header",
    "location": "Authorization"
   }
  ],
  "code": 401,
  "message": "Login Required"
 }
}

这里肯定存在一些问题：我似乎正在获得一个有效的令牌，（看起来像ya29.ElouBGKFig-nXZ9uykyGoDr0hxAxG5PMJTUh3VmtAtj2SAdYEbH2Coumjp5XoaF232oVx3--2EpTyNi5NgFBNrLINJij9tGL3-64MshEXjHhvkH-1NESoxPeVAU）。我已按照所有说明here，启用了API访问权限，授权我的API客户端，所有内容;但仍然没有工作。我哪里出错？

Answer 1

尝试查看有关Directory API: Authorize Requests

的文档

  

您的应用程序发送到Directory API的每个请求都必须包含授权令牌。该令牌还可识别您的Google应用程序。

以下是Directory API的OAuth 2.0范围信息：

• https://www.googleapis.com/auth/admin.directory.orgunit - 访问所有组织单位操作的全球范围。
• https://www.googleapis.com/auth/admin.directory.orgunit.readonly - 仅检索组织单位的范围。

您可以查看OAuth 2.0 Playground，这是使用OAuth 2.0与Google进行的互动演示（包括使用您自己的客户端凭据的选项）。此外，还有许多快速入门可以帮助您正确授权管理SDK的请求。

希望这有帮助。