Using Google Direcory API with SSH Tunnel

Question

Error:

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request { "error" : "invalid_scope", "error_description" : "https://www.googleapis.com:22230/auth/admin.directory.user is not valid scope." }

We have a java application deployed in WAS which will use Google Directory API. WAS is placed in the application layer and is not allowed to access Google API on internet. Hence the network team opened an SSH tunnel so that WAS can access Google API over a different port(22230) than the default ssl port of 443. Updated the java code to use the scope value with the new port, but ended up with the "invalid_scope" error mentioned above.

SCOPES = Arrays.asList(""https://www.googleapis.com:22230/auth/admin.directory.user"); credential = new GoogleCredential.Builder() .setTransport(httpTransport) .setJsonFactory(jsonFactory) .setServiceAccountUser(properties.getProperty(ACCT_USER)) .setServiceAccountId(properties.getProperty(ACCT_ID)) .setServiceAccountScopes(SCOPES) .setServiceAccountPrivateKeyFromP12File( p12 ) .build();

Googling did not help me to find much on SSH tunnel & Google API usage. Any help would be greatly appreciated. Is there a recommended way to use Google Directory API, when SSH tunneling is done?

Answer 1

You will need to overwrite the "tokenServerEncodedUrl" parameter value in the GoogleCredential object, and "rootUrl" parameter value in the Directory object for using your non-standard SSH Tunnel Ports for GoogleAPI client communication.

Use the following code snippet to achieve it:

GoogleCredential credential = (new com.google.api.client.googleapis.auth.oauth2.GoogleCredential.Builder()).setTransport(httpTransport).setJsonFactory(jsonFactory).setTokenServerUrl(new GenericUrl("https://accounts.google.com:ssh-port/o/oauth2/token")).setServiceAccountUser(ACCT_USER).setServiceAccountId(ACCT_ID).setServiceAccountScopes(SCOPES).setServiceAccountPrivateKeyFromP12File(p12).build();

Directory service = (new com.google.api.services.admin.directory.Directory.Builder(httpTransport, jsonFactory, null)).setHttpRequestInitializer(credential).setRootUrl("https://www.googleapis.com:22230/").setApplicationName(APP_NAME).build();

The above code snippet shall overwrite the default service URL values set by the Google API Client libraries (Jar files).

Answer 2

As far as I know the scopes don't alter the destination for the network requests the client library makes, they are there simply to tell Google what scopes you are trying to authorize your service for so placing the port in the scope URL alters it and it will fail to match against the known list. Since you'd have to alter the client library to change the destination, I would instead opt for execution environment redirection of the network requests to meet your needs. For example, you can use hosts to redirect to loopback for given addresses where you have a corkscrew agent waiting for requests and SSH tunneling them to your endpoint. Since you show a 400 response from Google it seems your traffic is already routing correctly and all you should have to do is drop :22230 from the scope URL's.