0
我正在嘗試編寫一個調用Google Directory Admin API的服務器進程來確定我的域中給定用戶的組成員身份。無法授權Google Directory Admin API調用
用下面的範圍... https://www.googleapis.com/auth/admin.directory.group.readonly
...這個調用作品(返回200)的API遊樂場: GET /admin/directory/v1/[email protected] HTTP/1.1
但是,我無法得到授權的權利外操場。
我也做了以下內容:
(1)增加「管理SDK」在谷歌開發者控制檯中的「啓用的API」
(2)創建的「服務帳戶」我在谷歌的應用程序開發者控制檯
(3)經過「啓用谷歌企業應用套件域範圍內的代表團」此服務帳戶
(4)經過「提供一個新的私鑰」此服務帳戶
(5)下載了此服務帳戶的JSON憑據
(6)在「admin.google.com」 - >安全性 - >高級設置 - >身份驗證 - >管理API客戶端訪問權限中,我已添加在「客戶名稱」字段中輸入了我的服務帳戶的(數字)ClientID,並在「一個或多個API範圍」字段中輸入了以下範圍並按下了授權:https://www.googleapis.com/auth/admin.directory.group.readonly
但是,代碼,授權失敗(Google::Apis::ClientError: forbidden: Not Authorized to access this resource/api):
require 'google/apis/admin_directory_v1'
require 'googleauth'
ENV['GOOGLE_APPLICATION_CREDENTIALS'] = 'secrets.json'
scope = [ 'https://www.googleapis.com/auth/admin.directory.group.readonly' ]
authorization = Google::Auth.get_application_default(scope)
service = Google::Apis::AdminDirectoryV1::DirectoryService.new
service.authorization = authorization
response = service.list_groups(user_key: '[email protected], domain: "mydomain.com")
(irb ses sion粘貼在下面)
請注意,用戶和域名已在此處進行了更改。另請注意,另外,如果domain未提供,則會引發Google::Apis::ClientError: notFound: Domain not found.。
IRB會議情況如下:
irb(main):001:0> require 'google/apis/admin_directory_v1'
=> true
irb(main):002:0> require 'googleauth'
=> false
irb(main):003:0> ENV['GOOGLE_APPLICATION_CREDENTIALS'] = 'secrets.json'
=> "secrets.json"
irb(main):004:0> scope = [ 'https://www.googleapis.com/auth/admin.directory.group.readonly' ]
=> ["https://www.googleapis.com/auth/admin.directory.group.readonly"]
irb(main):005:0> authorization = Google::Auth.get_application_default(scope)
=> #<Google::Auth::ServiceAccountCredentials:0x0000000238b1a0 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x11c55ec URI:https://www.googleapis.com/oauth2/v3/token>, @client_id=nil, @client_secret=nil, @code=nil, @expires_at=nil, @expires_in=nil, @issued_at=nil, @issuer="[email protected]", @password=nil, @principal=nil, @redirect_uri=nil, @scope=["https://www.googleapis.com/auth/admin.directory.group.readonly"], @state=nil, @username=nil, @expiry=60, @audience="https://www.googleapis.com/oauth2/v3/token", @signing_key=#<OpenSSL::PKey::RSA:0x0000000238b218>, @extension_parameters={}, @additional_parameters={}>
irb(main):006:0> service = Google::Apis::AdminDirectoryV1::DirectoryService.new
=> #<Google::Apis::AdminDirectoryV1::DirectoryService:0x000000023dbdd0 @root_url="https://www.googleapis.com/", @base_path="admin/directory/v1/", @upload_path="upload/admin/directory/v1/", @batch_path="batch", @client_options=#<struct Google::Apis::ClientOptions application_name="unknown", application_version="0.0.0", proxy_url=nil, use_net_http=false>, @request_options=#<struct Google::Apis::RequestOptions authorization=nil, retries=0, header=nil, timeout_sec=nil, open_timeout_sec=20>>
irb(main):007:0> service.authorization = authorization
=> #<Google::Auth::ServiceAccountCredentials:0x0000000238b1a0 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x11c55ec URI:https://www.googleapis.com/oauth2/v3/token>, @client_id=nil, @client_secret=nil, @code=nil, @expires_at=nil, @expires_in=nil, @issued_at=nil, @issuer="[email protected]", @password=nil, @principal=nil, @redirect_uri=nil, @scope=["https://www.googleapis.com/auth/admin.directory.group.readonly"], @state=nil, @username=nil, @expiry=60, @audience="https://www.googleapis.com/oauth2/v3/token", @signing_key=#<OpenSSL::PKey::RSA:0x0000000238b218>, @extension_parameters={}, @additional_parameters={}>
irb(main):008:0> response = service.list_groups(user_key: '[email protected], domain: "mydomain.com")
Google::Apis::ClientError: forbidden: Not Authorized to access this resource/api
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:202:in `check_status'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/api_command.rb:103:in `check_status'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:170:in `process_response'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:275:in `execute_once'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:107:in `block (2 levels) in execute'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:54:in `block in retriable'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `times'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `retriable'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:104:in `block in execute'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:54:in `block in retriable'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `times'
from /usr/local/share/ruby/gems/2.0/gems/retriable-2.1.0/lib/retriable.rb:48:in `retriable'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/http_command.rb:96:in `execute'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/lib/google/apis/core/base_service.rb:267:in `execute_or_queue_command'
from /usr/local/share/ruby/gems/2.0/gems/google-api-client-0.9/generated/google/apis/admin_directory_v1/service.rb:943:in `list_groups'
from (irb):8
from /usr/bin/irb:12:in `<main>'irb(main):009:0>
我認爲你不是冒充任何用戶,特別是對於這種情況下的管理員。請查看此文檔,您要模擬的用戶在參數'sub'中設置:https://developers.google.com/api-client-library/ruby/auth/service-accounts – Gerardo
我其實已經想到了,並添加了這個:auth_client = authorization.dup auth_client.sub ='[email protected]' service = Google :: Apis :: AdminDirectoryV1 :: DirectoryService.new response = service.list_groups(user_key:'my.user @ mydomain.com',域:'mydomain.com'),並引發此錯誤:「請求的客戶端未經授權。」有任何想法嗎? –
我想知道這一行是否正確:service.list_groups(user_key:'[email protected],domain:「mydomain.com」)...在[email protected]之後,引用不是關閉 – Gerardo