Reputation: 13
getting Service accounts cannot invite attendees without Domain-Wide Delegation of Authority eventhough already granted Domain-Wide Delegation
I'm using a service account to create calendar entries and adding new attendees for creating new appointments there is no problem
https://www.googleapis.com/calendar/v3/calendars/%7Bin_creator%7D/events
When adding new attendees, I get the error:
"Service accounts cannot invite attendees without Domain-Wide Delegation of Authority".
for adding new invitees I use:
https://www.googleapis.com/calendar/v3/calendars/%7BOwner%7D/events/%7Bmeeting_id%7D
All the information in the body of the call (including the list of attendees) ({Owner} is the real owner the calendar, it's not the service account)
I'm the Google Workspace admin, so I already granted scopes in the Domain-wide Delegation screen to this service account:
- https://googleapis.com/auth/calendar,
- https://googleapis.com/auth/calendar.events
- https://googleapis.com/auth/admin.director`
the owner of the calendar granted "Make Changes Event" permission to the service account
the JWT for request the access token looks like:
{
"iss": "xxxxxx.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "https://oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
I've tried calling the apis using Oracle PLSQL / Apexx using
apex_web_service.make_rest_request(
p_url => t_url,
p_http_method => 'POST',
p_body => t_json_in,
p_parm_name => apex_util.string_to_table(
'conferenceDataVersion:supportsAttachments:maxAttendees:sendNotifications:sendUpdates'
),
p_parm_value => apex_util.string_to_table('1:True:12:False:False')
);
where
t_url : variable cointaining the target endpoint : xxxx googleapis.com / calendar / v3 / calendars / {Owner} / events / {meeting_id} which returns a CLOB containing a JSON t_json_in : variable with a JSON with all the event data
this function returns a CLOB with a JSON
{
"error": {
"errors": [
{
"domain": "calendar",
"reason": "forbiddenForServiceAccounts",
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
],
"code": 403,
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
}
Upvotes: 1
Views: 1338
Answers (1)
Reputation: 117186
For delegation the JWT for the access token request needs to include the Sub claim. see: service-account
sub The email address of the user for which the application is requesting delegated access.
This is the email address of the owner of the account for which delegation has been configured. The service account it self may have read access but to have write access it needs to be deligated.
{
"iss": "xxxxxx.gserviceaccount.com",
"sub": "[email protected]"
"scope": "https://www.googleapis.com/auth/calendar https://googleapis.com/auth/calendar.events https://googleapis.com/auth/admin.directory.resource.calendar",
"aud": "xxxx oauth2.googleapis.com/token",
"exp": "{exp}",
"iat": "{iat}"
}
Upvotes: 0
Related Questions
- Simple Counter Javascript
- How to properly implement countUp.js?
- How to manage the counter with javascript
- How can I make a counter in HTML/CSS
- How to do the countup with JavaScript
- How to apply count up function to multiple values on the page?
- counting program with javascript
- Simple Counter in JS and HTML
- counting result in javascript
- Simpler Javascript counter