获得服务帐户无法邀请没有全域授权的与会者,即使已经授予全域授权
[英]getting Service accounts cannot invite attendees without Domain-Wide Delegation of Authority eventhough already granted Domain-Wide Delegation
问题描述
I'm using a service account to create calendar entries and adding new attendees for creating new appointments there is no problem
我正在使用服务帐户创建日历条目并添加新的与会者以创建新的约会没有问题
https://www.googleapis.com/calendar/v3/calendars/%7Bin_creator%7D/events
When adding new attendees, I get the error:添加新与会者时,出现错误:
"Service accounts cannot invite attendees without Domain-Wide Delegation of Authority".
for adding new invitees I use:添加新的被邀请者我使用:
https://www.googleapis.com/calendar/v3/calendars/%7BOwner%7D/events/%7Bmeeting_id%7D
All the information in the body of the call (including the list of attendees) ({Owner} is the real owner the calendar, it's not the service account)通话正文中的所有信息(包括与会者列表)({Owner} 是日历的真正所有者,不是服务帐户)
I'm the Google Workspace admin, so I already granted scopes in the Domain-wide Delegation screen to this service account:我是 Google Workspace 管理员,所以我已经在全域委派屏幕中向此服务帐号授予范围:
- https://googleapis.com/auth/calendar , https://googleapis.com/auth/calendar ,
- https://googleapis.com/auth/calendar.events https://googleapis.com/auth/calendar.events
- https://googleapis.com/auth/admin.director` https://googleapis.com/auth/admin.director`
the owner of the calendar granted " Make Changes Event " permission to the service account日历的所有者授予服务帐户“进行Make Changes Event ”权限
the JWT for request the access token looks like:请求访问令牌的 JWT 如下所示:
{
"iss": "xxxxxx.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "https://oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
I've tried calling the apis using Oracle PLSQL / Apexx using我尝试使用 Oracle PLSQL / Apexx 调用 api
apex_web_service.make_rest_request(
p_url => t_url,
p_http_method => 'POST',
p_body => t_json_in,
p_parm_name => apex_util.string_to_table(
'conferenceDataVersion:supportsAttachments:maxAttendees:sendNotifications:sendUpdates'
),
p_parm_value => apex_util.string_to_table('1:True:12:False:False')
);
where
t_url : variable cointaining the target endpoint : xxxx googleapis.com / calendar / v3 / calendars / {Owner} / events / {meeting_id} which returns a CLOB containing a JSON t_json_in : variable with a JSON with all the event data
this function returns a CLOB with a JSON这个 function 返回一个带有 JSON 的 CLOB
{
"error": {
"errors": [
{
"domain": "calendar",
"reason": "forbiddenForServiceAccounts",
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
],
"code": 403,
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
}
1 个解决方案
解决方案1
0 已采纳 2023-01-12 14:57:18
For delegation the JWT for the access token request needs to include the Sub claim.对于授权访问令牌请求的 JWT 需要包含 Sub 声明。 see: service-account 请参阅:服务帐户
sub The email address of the user for which the application is requesting delegated access.
This is the email address of the owner of the account for which delegation has been configured.这是已配置委托的帐户所有者的 email 地址。 The service account it self may have read access but to have write access it needs to be deligated.它自己的服务帐户可能具有读取权限,但要具有写入权限,则需要进行委托。
{
"iss": "xxxxxx.gserviceaccount.com",
"sub": "owner@yourdomain.com"
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "xxxx oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.