I've created Service Account client via console.developers.google.com. Generated keys, .p12 cert, enabled DwD, and so ... Then I've continued as describer in Admin API references. (HTTP/REST version). That included asingning scopes to these clients id at Google Admin -> Security -> Advancet Settings. Current admin security config state After I succesfully exchanged code for access token and made request for list of users under my domain i got this response.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Request is GET, Authorization Bearer ya29.ElrxA8F[rest of acctoken] and the google dev console dashboard shows chart with error request at Admin SDK
You must impersonificate your client as designated user
so I missed: "sub" parameter in json auth payload: This is correct json object (of cource with your ids, etc), that you need to use to access your Admin SDK from Service Account:
{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com", "sub":"some.user@example.com",
"scope":"googleapis.com/auth/prediction",
"aud":"googleapis.com/oauth2/v4/token",
"exp":1328554385, "iat":1328550785 }
Take a look at google admin sdk reference for more details. (Part with "sub" parameter)