Google Directory API:无法使用服务帐户访问用户/组端点 (403)
[英]Google Directory API: Unable to access User/Group endpoints using Service Account (403)
问题描述
I am trying to verify members of groups using the Google Directory API and cannot get past a 403 error every time I make the request.
我正在尝试使用 Google Directory API 验证组成员,并且每次发出请求时都无法通过 403 错误。
I am using a service account, which I have enabled the "Enable G Suite Domain-wide Delegation" option for.我正在使用一个服务帐户,我已为其启用了“启用 G Suite 域范围委派”选项。 I have also added the " https://www.googleapis.com/auth/admin.directory.user , https://www.googleapis.com/auth/admin.directory.group " Scopes using the Client ID within Suite under, "Manage API Client Access"我还添加了“ https://www.googleapis.com/auth/admin.directory.user , https://www.googleapis.com/auth/admin.directory.group ”范围使用 Suite 下的客户端 ID , "管理 API 客户端访问"
Code wise, I am using Node for this, and the google supplied googleapis package from NPM.代码方面,我为此使用 Node,谷歌从 NPM 提供了 googleapis package。
The external JSON file is the JSON credentials file downloaded when I created the service user.外部 JSON 文件是我创建服务用户时下载的 JSON 凭据文件。
Here's the code of me trying to get the request.这是我试图获取请求的代码。
import { google } from 'googleapis';
async function getGroupUsers(){
const auth = await google.auth.getClient({
keyFile: './src/jwt.keys.json',
scopes: [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.group.member',
],
});
const admin = google.admin({
version: 'directory_v1',
auth,
});
const res = await admin.groups.get({
groupKey: 'redacted@domain.redacted',
});
console.log(res)
}
I can't see any obvious reason this isn't working, as I can't see how the user doesn't have permission to the resource?我看不到任何明显的原因这不起作用,因为我看不到用户如何没有对该资源的权限?
Obviously missing something obvious here, as the google documentation for this is all over the shop sadly.显然这里遗漏了一些明显的东西,因为这方面的谷歌文档可悲的是到处都是。
Help greatly appreciated!非常感谢帮助!
Thanks谢谢
Gareth加雷斯
1 个解决方案
解决方案1
0 已采纳 2020-04-15 14:01:28
Ok after much banging of head and googling I finally for there with this, final working code is as follows, not the inclusion of the client.subject value, which has to be an administrator for the domain in question.好吧,经过多次敲门和谷歌搜索后,我终于有了这个,最终的工作代码如下,不包含 client.subject 值,它必须是相关域的管理员。
async function validateToken(idToken) {
const keys = JSON.parse(GOOGLE_CREDS);
const client = auth.fromJSON(keys);
client.scopes = [
'https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.group',
];
client.subject = 'admin@gsuite.domain';
const admin = google.admin({
version: 'directory_v1',
// auth,
auth: client,
});
const res = await admin.groups.list({
domain: 'redacted',
userKey: email,
});
const { groups } = res.data;
let role = '';
// Check for user role
if (containsGroup(USER_GROUP, groups)) {
role = USER_GROUP;
}
// Check for admin role
if (containsGroup(ADMIN_GROUP, groups)) {
role = ADMIN_GROUP;
}
// Not an admin or user so return unathenticated
if (role === '') {
return authResponse();
}
return successResponse({
'X-Hasura-User-Id': userid,
'X-Hasura-Email': email,
'X-Hasura-Role': role,
'X-Hasura-Groups': groups.map(group => group.id),
'Cache-Control': 'max-age=600',
});
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.