Reputation: 3488
Can't impersonate on a service-to-service oauth request to google calendar api in ruby
Hi I was late night hacking and testing google api client for Ruby.
I fell in an error perhaps by missunderstanding.
What I already done
- I already created an app in google developer console
- I enabled the calendar api
- I created the Server Key and downloaded the p12.
- I managed to see that calendar metadata using the google api explorer and browser oauth, so the ids are confirmed and the permissions too as browser's oauth can view the metadata
What I'm triying to do:
I'm triying to get metadata (I will try events later) from a privately shared calendar where I have read permissions (trough a group) in a google apps for work account in Ruby on a service to service auth
How I'm triying to do it
With this code:
require 'google/api_client'
require 'pp'
client = Google::APIClient.new
cal = client.discovered_api('calendar','v3')
id = '[email protected]' # id is the confirmed calendar ID
key = Google::APIClient::KeyUtils.load_from_pkcs12('sl.p12', 'notasecret')
client.authorization = Signet::OAuth2::Client.new(
:token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
:audience => 'https://accounts.google.com/o/oauth2/token',
:scope => 'https://www.googleapis.com/auth/calendar',
:issuer => '[email protected]', # confirmed issuer
:signing_key => key
)
client.authorization.fetch_access_token!
result = client.execute(
:api_method => cal.calendars.get,
:parameters => { 'calendarId' => id }
)
puts result.response.body
pp result
Results colected
When I do this y get a 404, something like "that calendar does not exists"
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
But if i change id per 'primary'
I get:
{
"kind": "calendar#calendar",
"etag": "\"dAAhx6wYoPw2vqRAe54lk5wa0XQ/WEglF6_c5pVHKyggcENvvX1cS9g\"",
"id": "[email protected]", #same as issuer id ??? WTF
"summary": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com",
"timeZone": "UTC"
}
Which seems to be a calendar but it's like the default calendar for the "email issuer" account that appears in the server key "email" field
I also tried to ad a :person = 'email' field to client.authorization but then I get an error creating the auth token
I couldn't find a way to access the api as other mail account dirrerent from that @developer.gserviceaccount.com, so what I'm doing wrong?
Upvotes: 1
Views: 525
Answers (1)
Reputation: 8289
You can either share the calendar with the service account's email or follow these steps to allow the service account to impersonate any user on that domain, in which case you have to pass the :person => 'email' parameter.
Upvotes: 1
Related Questions
- Google Calendar API service account authorization not working
- How do I authorize a service account for Google Calendar API in Ruby?
- Trying to get a service account to work with google calendar API, ruby, calendar.insert_event error
- How to use google-api-ruby-client with the Google Calendar API?
- Invalid json error when trying to query google calendar api with access token from Ruby on Rails application
- Google Calendar Service Account API leads to invalid grant
- Google api ruby client failing
- "Missing authorization code" error when trying to use Google Calendar API
- Google Calendar Data API Integration
- Google Calendar Ruby API