Google Directory API Access using Java

Question

I am trying to fetch and update the Users of my domain using Google Admin API

  private static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
  private static final List<String> SCOPES = Arrays.asList(
      "https://www.googleapis.com/auth/admin.directory.user",
      "https://www.googleapis.com/auth/admin.directory.user.readonly");

  public static void main(String[] args) {
    try {
      HttpTransport httpTransport = new NetHttpTransport();


      GoogleCredential credential =
          new GoogleCredential.Builder()
              .setTransport(httpTransport)
              .setJsonFactory(JSON_FACTORY)
              .setServiceAccountId(
                  "xxxxx-yyyyy@developer.gserviceaccount.com")
              .setServiceAccountUser("sysadmin@mydomain.com")
              .setServiceAccountScopes(SCOPES)
              .setServiceAccountPrivateKeyFromP12File(
                  new File("C:\\privatekey.p12")).build();

      Directory admin =
          new Directory.Builder(httpTransport, JSON_FACTORY, credential)
              .setApplicationName("User Sync Service")
              .setHttpRequestInitializer(credential).build();

      Directory.Users.List list = admin.users().list();
      list.setDomain("mydomain.com");
      Users users = list.execute();
      System.out.println("************");
    } catch (Exception e) {
      e.printStackTrace();
    }
  }

I am getting this error

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
  "error" : "access_denied"
}
    at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
    at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
    at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
    at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
    at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
    at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:858)

Screenshots:

Answer 1

The specific error you are seeing probably means that you did not give the service account access to the Google Apps domain in the CPanel's 3rd party OAuth settings. This step is described in the Google Drive domain-wide delegation documentation (just sub in the Directory scopes).

Also, rather than using a service account, you may just want to use a regular OAuth 2.0 token for web servers or installed applications . It's still not as simple as just supplying an admin user/pass but it's simpler than service accounts and it's much more secure than user/pass access since you're scoping the access and not touching the user password directly.