1
我正在尝试在服务帐户中使用googleapi 2.0,以便在用户的域名上使用目录gooogle admin sdk。 我按照建议进行了(例如this)并准备了“希望工作”的poc java代码。谷歌管理员sdk目录403
财产以后这样的...
package com.mc3info.google.api20.test;
import java.io.File;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.Directory.Members;
import com.google.api.services.admin.directory.Directory.Users.Get;
import com.google.api.services.admin.directory.DirectoryScopes;
import com.google.api.services.admin.directory.Directory.Groups;
import com.google.api.services.admin.directory.Directory.Users;
import com.google.api.services.admin.directory.model.User;
public class TestUsersList {
public static void main(String[] args) {
try {
File f = new File("config/xxxxxxx-privatekey.p12");
System.out.println(f.getAbsolutePath());
ArrayList<String> scopes = new ArrayList<String>();
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_READONLY);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER_READONLY);
scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER);
scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY);
// scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER_SECURITY);
HttpTransport myHttpTransport = new NetHttpTransport();
JsonFactory JSON_FACTORY = new JacksonFactory();
GoogleCredential credential = (new GoogleCredential.Builder()
.setTransport(myHttpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("[email protected]")
.setJsonFactory(JSON_FACTORY)
.setServiceAccountPrivateKeyFromP12File(f)
.setServiceAccountScopes(scopes)
).build();
credential.refreshToken();
// String at = credential.getAccessToken();
String applicationName = "NYAPPLICATIONNAME";
Directory dir = new Directory.Builder(myHttpTransport, JSON_FACTORY, credential)
.setApplicationName(applicationName)
.setHttpRequestInitializer(credential)
.build();
com.google.api.services.admin.directory.Directory.Users.List ures = dir.users().list();
ures.setDomain("genericidoc.it");
ures.setOrderBy("email");
// ures.setSortOrder("ASCENDING");
// ures.setFields("users(agreedToTerms,changePasswordAtNextLogin,creationTime,customerId,deletionTime,etag,hashFunction,id,includeInGlobalAddressList,ipWhitelisted,isAdmin,isDelegatedAdmin,isMailboxSetup,kind,lastLoginTime,name,orgUnitPath,password,primaryEmail,suspended,suspensionReason,thumbnailPhotoUrl");
com.google.api.services.admin.directory.model.Users lures = ures.execute();
//HERE print all data
// for(){
// System.out.println("Utente : ");
// }
//
Groups grp = dir.groups();
com.google.api.services.admin.directory.model.Groups res = grp.list().execute();
// Directory.Members.List members = dir.members().list("someexisting email");
/*
* Values for getting GoogleCredential, found in the
* "Service account section" at:
* https://code.google.com/apis/console/#access
*/
// serviceAccountId from the "Email address" field.
// Name of group to get for testing the authentication
} catch (Throwable t) {
t.printStackTrace();
}
}
}
,但得到一个403错误:
而且...是的,refreshToken()invokation不应该科目编号,但它可以确保我thath人至少握手是好的...
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Not Authorized to access this resource/api",
"reason" : "forbidden"
} ],
"message" : "Not Authorized to access this resource/api"
}
嗨@Jay,YEs我没有mentrioned,但我做到了。另一方面,使用setServiceAccountUser(... email)让我走上正轨。现在服务如预期般回复。但它只适用于真实的电子邮件,而不适用于服务帐户电子邮件。但我可以处理它。 – meppia