Reputation: 103
Google Admin SDK - Exception access_denied Requested client not authorized
I hope someone can help me with.
Please take a look at the source code below. When the Execute is hit at the end. I will get the following error:
Google.Apis.Auth.OAuth2.Responses.TokenResponseException was unhandled _HResult=-2146233088 _message=Error:"access_denied", Description:"Requested client not authorized.", Uri:""
I have tried a lot of things. Creating user, list groups etc. etc. (with correct scopes) but every time I'm getting the same error.
I have created a service account and all of the APIs in the Google Developers Console are set to "on" The user I use for impersonation is a full administrator.
I have tried several things, but I must do something stupid. The code looks a lot like an other issue on Stack Overflow : Google Admin SDK Unable to Create User - Exception 403 Forbidden But mine is not going to work. Can anyone tells me what I'm forgetting?
private static readonly string[] Scopes = new string[] { DirectoryService.Scope.AdminDirectoryUser, DirectoryService.Scope.AdminDirectoryGroup, DirectoryService.Scope.AdminDirectoryGroupMember };
static void Main(string[] args)
{
String serviceAccountEmail = "***@developer.gserviceaccount.com";
var certificate = new X509Certificate2(@"file.p12", "notasecret", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
Scopes = Scopes,
User = "admin email address",
}.FromCertificate(certificate));
var service = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "User Provisioning",
});
User newuserbody = new User();
UserName newusername = new UserName();
newuserbody.PrimaryEmail = "[email protected]";
newusername.GivenName = "Bob";
newusername.FamilyName = "Bacon";
newuserbody.Name = newusername;
newuserbody.Password = "iambacon";
Google.Apis.Admin.Directory.directory_v1.Data.User results = service.Users.Insert(newuserbody).Execute();
Console.WriteLine("Press any key to continue!");
Console.ReadKey();
}
Upvotes: 2
Views: 3806
Answers (1)
Reputation: 1474
In your admin console, did you specifically grant permission to the client ID? Just turning the API on in the developer console is not enough, you must specifically grant this client ID scope access in admin console in order for it to impersonate user in your domain.
Go to your Google Apps domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
Select Advanced settings from the list of options.
Select Manage third party OAuth Client access in the Authentication section.
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter:
https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/calendarClick the Authorize button.
Let me know if this resolve the permission error.
Upvotes: 4
Related Questions
- Google API users.get error 401 Unauthorized
- Client is unauthorized to retrieve access tokens using this method or client not authorized for any scope requested API Directory C#
- TokenResponseException: 401 Unauthorized Exception when trying to access Admin SDK Google API.
- Google Admin SDK 403 Not Authorized to Access this Resource/API
- Unauthorized when calling Google Admin SDK Directory API
- Google Dotnet API - Admin SDK Groups - Getting Bad Request Error
- Google API Admin SDK Error (Requested client not authorized)
- Google Admin SDK Unable to Create User - Exception 403 Forbidden
- Google Admin SDK throws bad request java client
- Google Admin SDK operations using Client Login failing with 403 code even with Auth Token