users.list返回403错误:未获得访问此资源/ api的权限
[英]users.list returns 403 Error: Not Authorized to access this resource/api
问题描述
I am trying to retrieve a list of users using the node.js googleapis library and a service account. 
我正在尝试使用node.js googleapis库和服务帐户来检索用户列表。
I followed this guide to 'Perform Google Apps Domain-Wide Delegation of Authority'. 我按照此指南进行了“执行Google Apps域范围的授权”。 There are examples for Java and Python, but unfortunately not for node.js, which seems to work rather differently. 有一些Java和Python的示例,但是不幸的是,没有node.js的示例,它们的工作方式似乎大不相同。
I tried following the quickstart and completed the first two steps, but then it uses a manual OAuth flow instead of a service account. 我尝试按照快速入门并完成了前两个步骤,但是随后它使用了手动OAuth流程而不是服务帐户。
So I tried to follow the example here to authorize using a service account. 因此,我尝试按照此处的示例授权使用服务帐户。 That all seems to work until I send the request, then I get an error: Error: Not Authorized to access this resource/api with code: 403. 在我发送请求之前,这一切似乎都可以正常工作,然后出现错误: Error: Not Authorized to access this resource/api使用代码403 Error: Not Authorized to access this resource/api 。
Here's my code: 这是我的代码:
var google = require('googleapis'),
GoogleAuth = require('google-auth-library'),
authFactory = new GoogleAuth(),
admin = google.admin('directory_v1')
authFactory.getApplicationDefault(function (err, authClient) {
console.log('GOT APPLICATION DEFAULT', authClient)
if (err) {
console.log('Authentication failed because of ', err);
return;
}
if (authClient.createScopedRequired && authClient.createScopedRequired()) {
console.log('SCOPE REQUIRED')
var scopes = ['https://www.googleapis.com/auth/admin.directory.user'];
authClient = authClient.createScoped(scopes);
}
var request = {
auth: authClient,
domain: 'mydomain.com'
};
console.log('request:', request)
admin.users.list(request, function (err, result) {
if (err) {
console.log('admin.users.list error', err);
} else {
console.log(result);
}
});
});
What have I missed please? 我想念什么?
1 个解决方案
解决方案1
0 2016-11-03 16:37:46
After several hours of experimenting I came to the conclusion that this particular API cannot be accessed with a service account. 经过几个小时的试验,我得出的结论是,无法使用服务帐户访问此特定的API。 Although it is not explicitly stated in the docs anywhere that I could find, the quickstart seems to overcome this limitation by using an OAuth process and then storing in a file the tokens required to authorize future requests. 尽管我在任何地方都找不到文档中明确说明的内容,但快速入门似乎通过使用OAuth流程并在文件中存储授权将来的请求所需的令牌来克服了这一限制。 If I'm wrong please add a better answer! 如果我错了,请添加更好的答案!
My solution is to use the quickstart project to generate those tokens and then add the credentials and tokens from the quickstart to my project and use them whenever my server starts, something like: 我的解决方案是使用quickstart项目生成这些令牌,然后将快速入门中的凭据和令牌添加到我的项目中,并在服务器启动时使用它们,例如:
let tokens = require('./credentials/tokens.json'),
credentials = require('./credentials/oauth_credentials.json'),
clientSecret = credentials.installed.client_secret,
clientId = credentials.installed.client_id,
redirectUrl = credentials.installed.redirect_uris[0],
google = require('googleapis'),
GoogleAuth = require('google-auth-library'),
authFactory = new GoogleAuth(),
admin = google.admin('directory_v1'),
oauth2Client = new authFactory.OAuth2(clientId, clientSecret, redirectUrl);
oauth2Client.credentials = tokens;
let request = {
auth: oauth2Client,
domain: 'coachaxis.com'
};
console.log('request:', request)
admin.users.list(request, function (err, result) {
if (err) {
console.log('admin.users.list error', err);
} else {
console.log(result);
}
});
It's not elegant but it works. 它不优雅,但可以。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.