stackoom
  简体   繁体   中英

Google Directory API: Unable to access User/Group endpoints using Service Account (403)

 原文  2020-04-14 15:41:33       node.js/ google-api/ google-workspace

Question

I am trying to verify members of groups using the Google Directory API and cannot get past a 403 error every time I make the request.

I am using a service account, which I have enabled the "Enable G Suite Domain-wide Delegation" option for. I have also added the " https://www.googleapis.com/auth/admin.directory.user , https://www.googleapis.com/auth/admin.directory.group " Scopes using the Client ID within Suite under, "Manage API Client Access"

Code wise, I am using Node for this, and the google supplied googleapis package from NPM.

The external JSON file is the JSON credentials file downloaded when I created the service user.

Here's the code of me trying to get the request.

import { google } from 'googleapis';

async function getGroupUsers(){
const auth = await google.auth.getClient({
    keyFile: './src/jwt.keys.json',
    scopes: [
      'https://www.googleapis.com/auth/admin.directory.group',
      'https://www.googleapis.com/auth/admin.directory.group.member',
    ],
  });
  const admin = google.admin({
    version: 'directory_v1',
    auth,
  });

  const res = await admin.groups.get({
    groupKey: 'redacted@domain.redacted',
  });
  console.log(res)
}

I can't see any obvious reason this isn't working, as I can't see how the user doesn't have permission to the resource?

Obviously missing something obvious here, as the google documentation for this is all over the shop sadly.

Help greatly appreciated!

Thanks

Gareth

1 answers

solution1
 0 ACCPTED  2020-04-15 14:01:28

Ok after much banging of head and googling I finally for there with this, final working code is as follows, not the inclusion of the client.subject value, which has to be an administrator for the domain in question.

async function validateToken(idToken) {

  const keys = JSON.parse(GOOGLE_CREDS);

  const client = auth.fromJSON(keys);

  client.scopes = [
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.group',
  ];

  client.subject = 'admin@gsuite.domain';

  const admin = google.admin({
    version: 'directory_v1',
    // auth,
    auth: client,
  });

  const res = await admin.groups.list({
    domain: 'redacted',
    userKey: email,
  });

  const { groups } = res.data;
  let role = '';

  // Check for user role
  if (containsGroup(USER_GROUP, groups)) {
    role = USER_GROUP;
  }

  // Check for admin role
  if (containsGroup(ADMIN_GROUP, groups)) {
    role = ADMIN_GROUP;
  }

  // Not an admin or user so return unathenticated
  if (role === '') {
    return authResponse();
  }

  return successResponse({
    'X-Hasura-User-Id': userid,
    'X-Hasura-Email': email,
    'X-Hasura-Role': role,
    'X-Hasura-Groups': groups.map(group => group.id),
    'Cache-Control': 'max-age=600',
  });
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question google api service account Access user task list Google directory API using Service account - error self signed cert Access Google Container builder logs with a service account - 403 Forbidden Error Google-api-nodejs-client: Using service account to call directory api returns invalid inputs Unable to write through service account access in google spread sheet api (node js) Google Datastore access using Service Account Keys List all existing calendar resources with Google service account (Directory API) Google API Service Account - Can't Access Private Data Google API Service Account and nodejs Problems authenticating Service Account for google reseller api using the nodejs library
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM