Getting a 403 - Forbidden for Google Service Account

Question

I am trying to get an access token for Google Service Account. Following is my code -

String SERVICE_ACCOUNT_EMAIL = "edited@developer.gserviceaccount.com";
List scope = new ArrayList();
scope.add("https://www.googleapis.com/auth/admin.directory.user");
String keyFile = "C:\\edited-privatekey.p12";
HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
JsonFactory JSON_FACTORY = new JacksonFactory();
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(SERVICE_ACCOUNT_EMAIL)
.setServiceAccountScopes(scope)
.setServiceAccountPrivateKeyFromP12File(new java.io.File(keyFile))
.build();

credential.refreshToken();
String accessTokens = credential.getAccessToken();

Although the code works fine and I do get an access token, when I try to use it to 'GET' a Google Apps User using the Google Directory APIs, I get a 403 - Forbidden response code. Could someone please help?
I know the code for GET user is correct because it works fine with the access token generated by Google Apps Admin.

Answer 1

You have to enable the specific api before using it inside https://console.developers.google.com/ library, to make it work with your api key. watch the video https://www.youtube.com/watch?v=s_G5CnAu69M.

Answer 2

Proceed to https://admin.google.com . Login and add Security control if not exists from More Controls. Click on Security->Advance Settings->Manage ThirdParty OAuth Client Access and check that those scopes are added(comma separated) for your xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com service account id/client id.

Answer 3

You need to set an admin account with:

.setServiceAccountUser(some_admin_email)

And make sure your App (with the correct scopes) is granted access in the cpanel.