具有域范围委托的 Google 日历 API：events.watch 方法失败并显示“请求缺少有效的 API 密钥”

Question

Background

I have followed all of the steps for domain wide delegation. An example of this is the ability to sign in with the service account json, impersonate users in my Google Workspace account and list their events (see example below).

# list-events.py
from googleapiclient.discovery import build
from oauth2client.service_account import ServiceAccountCredentials
from pprint import pprint

def create_calendar_api_service(service_acc_filepath):
    """Build and return a Google Calendar service object authorized with the service
    account that acts on behalf of a given user.

    Args:
        service_acc_filepath: path to service account json with domain wide delegation enabled.
    """
    credentials = ServiceAccountCredentials.from_json_keyfile_name(
        service_acc_filepath, scopes=str(SCOPES)
    )
    # impersonate user with emailaddress=calendarId
    delegate = credentials.create_delegated(USER_EMAIL)
    return build("calendar", "v3", credentials=delegate)


if __name__ == "__main__":
    UUID = get_uuid()
    SCOPES = "https://www.googleapis.com/auth/calendar"
    SERVICE_ACCOUNT_FILE_PATH = "./workspace-sa/my-project-d2355248f03f.json"
    USER_EMAIL = "workspace-user-1@company.com"
    BASE_URL = "https://acf1-92-233-162-75.eu.ngrok.io"

    
    # get authenticated object to interact with Google API.
    my_service = create_query_api_service(SERVICE_ACCOUNT_FILE_PATH)

    req = my_service.events().list(calendarId=f"{USER_EMAIL}").execute()

The problem I am having is that the same setup doesn't let me receive notifications from the watch() method...

# watch-for-events.py
...
body = {
        "id": f"{UUID}",
        "type": "webhook",
        "address": f"{BASE_URL}/calendar-push",  # The URL to which notifications are delivered for this channel.
    }

my_service = create_calendar_api_service(SERVICE_ACCOUNT_FILE_PATH)

req = my_service.events().watch(calendarId=f"{USER_EMAIL}", body=body).execute()

Running the watch() method returns the following to the terminal.

{'expiration': '1669901130000',
 'id': '0184a9d0-8b55-c62d-ee15-84891fcf1014',
 'kind': 'api#channel',
 'resourceId': '7kxHSfF9AbNVLSXk5cxPcmgfhAg',
 'resourceUri': 'https://www.googleapis.com/calendar/v3/calendars/workspace-user-1%40company.com/events?alt=json'}

Upon following the resourceUri I see the aforementioned error message.

{
  "error": {
    "code": 403,
    "message": "The request is missing a valid API key.",
    "errors": [
      {
        "message": "The request is missing a valid API key.",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

The Main Problem

very single change in the target calendar hits my https webhook/endpoint with a 400 BAD REQUEST .

I cannot even read the request in my Flask backend.

Question

Can someone please help me understand why I am not able to receive push notifications (why they all return 400 BAD REQUEST)?

PS: I have read that I can provide some further access credentials via a bearer token in the header. But there is no header attribute in these methods.

Here are the images below for the workspace admin settings in question:

Endpoint code

@app.route("/calendar-push", methods=["GET", "POST"])
def add_message():
    app.logger.info("HIT THE /calendar_push ROUTE")
    content = request.json
    app.logger.info(content)
    return request.json

Output from flask endpoint after moving calendar events

127.0.0.1 - - [24/Nov/2022 17:39:50] "POST /calendar-push HTTP/1.1" 400 -

Answer 1

'resourceUri': 'https://www.googleapis.com/calendar/v3/calendars/workspace-user-1%40company.com/events?alt=json'

All that is is telling you what notification endpoint the message response is for.

In which case you will need to do a

events = service.events().list(calendarId='workspace-user-1%40company.com').execute()

Your getting missing api key because your calling the endpoint without first being authorized.

Authorize the call then check it and you will get a response.