Login Required 401 using Google ServiceAccountCredential using Google Admin Directory API
I have tried to follow the simple example listed here: https://developers.google.com/admin-sdk/directory/v1/quickstart/dotnet
The difference is I generated a Service Account Credential, and assigned it as a Delegate with the Role Project Owner, so it has full access. I also assigned it the proper namespaces for scopes.
Here it has access to orgunits which is what I'm trying to list in the Directory API
Here is my service account defined
Here are my credentials
I downloaded the JSON for the credential and added it to my project. I can confirm that the code loades the ServiceAccountCredential and successfully authenticates and gets an access token by inspecting the debugger.
But then I pass the credential to the Service Initializer, and when I create and execute a request it fails with
{"Google.Apis.Requests.RequestError\r\nLogin Required [401]\r\nErrors [\r\n\tMessage[Login Required] Location[Authorization - header] Reason[required] Domain[global]\r\n]\r\n"}
Here's the code:
using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
using System;
using System.Collections.Generic;
using System.IO;
namespace DirectoryQuickstart
{
class Program
{
static string[] Scopes = { DirectoryService.Scope.AdminDirectoryUser, DirectoryService.Scope.AdminDirectoryOrgunit };
static string ApplicationName = "slea-crm";
static string Secret = "gsuite-secret.json";
static void Main(string[] args)
{
ServiceAccountCredential sac = GoogleCredential.FromFile(Secret).CreateScoped(Scopes).UnderlyingCredential as ServiceAccountCredential;
var token = sac.GetAccessTokenForRequestAsync().Result;
// Create Directory API service.
var service = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = sac,
ApplicationName = ApplicationName,
});
OrgunitsResource.ListRequest request = service.Orgunits.List(customerId: "REDACTED");
IList<OrgUnit> orgUnits = request.Execute().OrganizationUnits;
if (orgUnits != null && orgUnits.Count > 0)
{
foreach (var orgUnit in orgUnits)
{
Console.WriteLine("{0} ({1})", orgUnit.Name, orgUnit.OrgUnitPath);
}
}
else
{
Console.WriteLine("No orgunits found.");
}
Console.Read();
}
}
}
Here is the content of my JSON secret (with redactions)
What am I missing here?
EDIT: OK, I breakpoint the code while it generates the request, and I can see that no where does it set the Authorization token bearer in the headers. Why? I would expect this HttpClientInitializer class to take care of that, since the API docs say it knows how to handle that, and every example on the internet I've found shows it just passing the credential into the service initializer. But when I walked through it, even though the credential has already been granted an access token and one exists within it, nowhere does the request have the header updated.
The only thing I can see is there is some way to add an HTTP request interceptor where possibly I could do this myself, but wow, this seems really...bizarre -- after all this work they did on the dotnet client SDK, I honestly could have just written direct to the HTTP API and it would have been a lot simpler and easier to follow.
The missing piece of the puzzle is this line:
ServiceAccountCredential sac = GoogleCredential.FromFile(Secret)
.CreateScoped(Scopes)
.UnderlyingCredential as ServiceAccountCredential;
Needs to be modified to this:
static string userName = "[email protected]" // valid user in your org
ServiceAccountCredential sac = GoogleCredential.FromFile(Secret)
.CreateScoped(Scopes)
.CreateWithUser(userName)
.UnderlyingCredential as ServiceAccountCredential;
Java/Python/Go sample of doing similar is here: https://developers.google.com/admin-sdk/directory/v1/guides/delegation#create_the_service_account_and_its_credentials
- How can I get all users on Google admin_sdk?
- Google PlayIntegrity API: a Nightmare
- How to download the images using google custom search api?
- How can i get the "userId" of google account to impact with their api?
- Google Sheets API localhost refused to connect when authorizing
- File exists but I get a 404 error when reading it in Google Docs
- Trouble fetching JSON data with Google API on iOS
- Need help adding a Google Group to a Google Chat Space
- Google Cloud Translation API (AdaptiveMtTranslateRequest): Cannot Pass a List of Strings as Content
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- Why Google native oauth2 flow require client secret?
- Download files from Google Drive using Python and service account
- "Invalid recurrence rule" on some ICS files
- Google API access without using a private Google account
- What kind of string does snippet.defaultLanguage take?
- Querying a Google Sheet API using GViz
- Get user info via Google API
- Google Classroom Overall Grades are Off
- HTTP Google Sheets API v4 how to access without OAuth 2.0?
- How to display messages as list in gmail api?
- Complete List of all Google APIs?
- Programmatically get Google results onto web page
- Get full responses from api call
- Do Google refresh tokens expire?
- Is it possible to add more scopes to NextAuth provider during session?
- Is it possible to get the "Popular times" information through the Google Places API
- How to verify a token received from chrome.identity.getAuthToken() in the backend?
- Getting no access_token but id_token from Google OAuth2
- for loop in Google Apps script to add specific values from a json response to a Google sheet
- Google-pay-button paymentRequest typeErrors when building