[英]How do I use JWT to access Google Directory (Admin SDK) using NodeJS client libraries?
I'm trying to make a server application that will add/remove users to my domain's groups. 我正在尝试创建一个服务器应用程序,将用户添加/删除到我的域组。 Note that it will not have any interaction with users, it is server-to-server application.
请注意,它不会与用户进行任何交互,而是服务器到服务器应用程序。
I registered my application in the Google API Console, downloaded the key and transformed it to .pem by issuing 我在Google API控制台中注册了我的应用程序,下载了密钥并通过发布将其转换为.pem
openssl pkcs12 -in my_google_key.p12 -out my_google_key.pem -nocerts -nodes
Then I've been to the Domain Administration, Security -> Advanced Settings -> Authentication -> Manage OAuth Client access. 然后我去过域管理,安全 - >高级设置 - >身份验证 - >管理OAuth客户端访问。 There I added a record in Authorized API clients.
在那里,我在授权API客户端中添加了一条记录。 I used the Client ID I got from the Service Account in Console and used scope:
我使用了从控制台中的服务帐户获得的客户端ID并使用了范围:
https://www.googleapis.com/auth/admin.directory.group.
I installed googleapis for nodejs, using 我安装了googleapis for nodejs,使用
npm install googleapis
And here's my code: 这是我的代码:
var googleapis = require('googleapis');
var SERVICE_ACCOUNT_EMAIL = 'My Service Account E-mail Address';
var SERVICE_ACCOUNT_KEY_FILE = 'my_google_key.pem'; // The .pem file is at the root of my application
var jwt = new googleapis.auth.JWT(
SERVICE_ACCOUNT_EMAIL,
SERVICE_ACCOUNT_KEY_FILE,
null,
['https://www.googleapis.com/auth/admin.directory.group']
);
var client;
googleapis
.discover('admin', 'directory_v1')
.execute(function(err, data) {
client = data;
jwt.authorize(function(err, result) {
console.log(jwt);
client.admin.groups.list({
"customer": "my_customer", // This is actually "my_customer"
"domain": "domain.com" // The domain name I administer
})
.withAuthClient(jwt)
.execute(function(err, result) {
console.log(err);
console.log(result);
});
});
});
And the result of running this code is: 运行此代码的结果是:
{ errors:
[ { domain: 'global',
reason: 'forbidden',
message: 'Not Authorized to access this resource/api' } ],
code: 403,
message: 'Not Authorized to access this resource/api' }
What am I missing? 我错过了什么? How do I authorize my application with the Admin SDK?
如何使用Admin SDK授权我的应用程序?
1) Make sure you delegate domain wide authority to your service account. 1)确保您将域范围的权限委派给您的服务帐户。
2) Service Accounts must impersonate someone with access to the Admin SDK Directory API. 2)服务帐户必须模拟有权访问Admin SDK Directory API的人员。
Include it when initializing: 初始化时包含它:
var jwt = new googleapis.auth.JWT(
SERVICE_ACCOUNT_EMAIL,
SERVICE_ACCOUNT_KEY_FILE,
null,
['https://www.googleapis.com/auth/admin.directory.group'],
account_with_Admin_SDK_access_to_impersonate@example.com
);
This section of the docs explains both of these in detail : https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account 本部分文档详细说明了这两个方面 : https : //developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.