I'm attempting to use the Google+ Domains API to provision circles for my Google Apps domain. I'm using domain-wide delegation as per https://developers.google.com/+/domains/authentication/delegation which I have already used successfully for group, user and calendar provisioning. In the API console, I've added the Google+ API and Google+ Domains API to the API project. I've tried using both the pre-existing key, and generating a new one. When I attempt to run the following code:
service_account_email='[email protected]'
key=file("path/to/keyfile","rb").read()
user_email='[email protected]'
SCOPES_PLUS = [
'https://www.googleapis.com/auth/plus.me',
'https://www.googleapis.com/auth/plus.stream.write',
]
credentials = SignedJwtAssertionCredentials(service_account_email, key,
scope=SCOPES_PLUS, sub=user_email)
http = httplib2.Http()
http = credentials.authorize(http)
plus = build(serviceName='plus', version='v1domains', http=http)
I get
AccessTokenRefreshError: access_denied
when it hits the build() call.
However, the exact same code (with different scopes and services) works for the directory service, groupssettings service and calendar service.
I have tried with both a role account as the sub email address, and as my own (super-admin) account.
Any ideas?
Did you remember to give the service account authorization for the new scopes in the Control Panel for the domain? The process is described in the Drive documentation. Be sure to enter the Google Plus Domains scopes as well as the Directory and Group Settings scopes as any changes overwrite your existing authorizations.