假冒用户的Google API +服务帐户

Question

我要训练的是获取单个组的所有成员，然后下载他们在gmail中拥有的所有电子邮件标头。为此，我从谷歌gmail API和成员api开始，但是我陷入了困境。我意识到即使拥有管理员角色也无法做到这一点。

我发现正确的方法（我认为...）是使用模拟用户的服务帐户。我做了什么：

1. 创建一个新项目。
2. 创建服务帐户凭据。
3. 将域范围的委派添加到服务帐户。
4. 为此项目启用范围。

创建服务的代码：

{
    tokens=[
            LEFT_PAREN='('
            RIGHT_PAREN=')'
            PIPE='|'
            AT='@'
            IDENTIFIER="regexp:[_A-Za-z][_0-9A-Za-z]*"
            WHITE_SPACE = 'regexp:\s+'
    ]
}

Document ::= Definition*
Definition ::=  DirectiveTypeDef | ScalarTypeDef
NamedTypeDef ::= IDENTIFIER

// I.E. @foo @bar(a: 10) @baz
DirectivesDeclSet ::= DirectiveDecl+
DirectiveDecl ::= AT TypeName

// I.E. directive @example on FIELD_DEFINITION | ARGUMENT_DEFINITION
DirectiveTypeDef ::= 'directive' AT NamedTypeDef DirectiveLocationsConditionDef
DirectiveLocationsConditionDef ::= 'on' DirectiveLocation DirectiveAddtlLocation*
DirectiveLocation ::= IDENTIFIER
DirectiveAddtlLocation ::= PIPE? DirectiveLocation

TypeName ::= IDENTIFIER

// I.E. scalar DateTime @foo
ScalarTypeDef ::= 'scalar' NamedTypeDef DirectivesDeclSet?

会员等级：

from __future__ import print_function
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client import file, client, tools
from google.oauth2 import service_account
import requests
import json

class Service:

    SCOPES = ['https://mail.google.com/',
            'https://sites.google.com/feeds',
            'https://www.google.com/m8/feeds',
            'https://www.googleapis.com/auth/activity',
            'https://www.googleapis.com/auth/calendar',
            'https://www.googleapis.com/auth/drive',
            'https://www.googleapis.com/auth/gmail.settings.basic',
            'https://www.googleapis.com/auth/gmail.settings.sharing',
            'https://www.googleapis.com/auth/plus.login',
            'https://www.googleapis.com/auth/plus.me',
            'https://www.googleapis.com/auth/userinfo.email',
            'https://www.googleapis.com/auth/userinfo.profile',
            'https://www.googleapis.com/auth/admin.directory.group',
            'https://www.googleapis.com/auth/gmail.metadata'
            ]

    secret_file = 'client-secret.json'
    service = ''
    service_name = ''
    service_version = ''
    delegated_credentials = ''
    credentials = ''

    def __init__(self, servicename, serviceversion):
        self.service_name = servicename
        self.service_verion = serviceversion
        self.newService()

    def newService(self):
        self.credentials = service_account.Credentials.from_service_account_file(self.secret_file, scopes=self.SCOPES)
        self.credentials = self.credentials.with_subject('admin@domain.com')
        self.service = build(self.service_name, self.service_verion, credentials=self.credentials)
        return self.service

if __name__ == '__main__':
    main()

app.py：

from __future__ import print_function
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client import file, client, tools
from service import Service
import requests
import json

class Members:

    service = ''
    group_name = ''
    members = []

    def __init__(self, groupname):
        self.group_name = groupname
        self.service = Service('admin', 'directory_v1')

    def get_members(self):
        print('Buscando los miembros del grupo')
        results = self.service.service.members().list(groupKey=self.group_name).execute()
        for member in results['members']:
            print('Descargando datos de: ', member['email'])
            self.members.append(member['id'])

        return self.members


if __name__ == '__main__':
    main()

我遇到的错误：

  

“客户无权使用此方法检索访问令牌，   或客户无权获得任何要求的范围。”