403错误“未授权访问此资源/api";网络应用中的Google Admin SDK(甚至是管理员)
自从两天以来,即使该应用程序在一个月前已完全运行,但我一直不知道为什么会出现此错误,所以我一直在努力寻找问题.
I'm struggling to find the problem since two days without any idea why I get this error now even though the app was fully functional one month before.
在网络应用完成的任务中,它会调用Admin SDK API以获取组成员的列表.该应用程序的范围为 https://www.googleapis.com/auth/admin.directory.group.readonly ,但出现403错误未授权访问此资源/api"(我确认已在Google的控制台中启用了Admin SDK API).顺便说一句,该应用程序可以毫无问题地向Google Classroom API发出请求.
Among the tasks done by the web app, it makes an Admin SDK API call to get the list of members of a group. The app has the scope https://www.googleapis.com/auth/admin.directory.group.readonly, but I get the 403 error "Not Authorized to access this resource/api" (I verified that the Admin SDK API was enabled in Google's Console).
By the way, the app had no problem to make a request to Google Classroom API before.
这里最不可思议的是,应用程序秘密是由管理员帐户生成的.而且,当我使用相同的管理员帐户登录到应用程序时,会收到此错误.但是,当我使用文档的( https://developers.google.com/admin-sdk/directory/v1/reference/members/list#response )我得到200条响应,而授权范围完全相同.
The most incredible thing here is that the app secrets have been generated by an admin account. And that I get this error when I log into the app with this same admin account. However, when I do tests with the documentation's (https://developers.google.com/admin-sdk/directory/v1/reference/members/list#response) I get a 200 response without a problem with exactly the same authorized scope.
使用此管理员帐户之前,可以毫无问题地获取工作成员列表.从那时起,据我所知,源代码或配置没有任何变化.因此,我认为问题可能在某种程度上与客户的机密有关,但我不知道如何解决.
Getting the list of members worked without a problem before with this admin account. Since then, nothing has changed in source code or in configuration so far as I know. So I think the problem may be related to the client secrets in some way, but I have no idea how.
此网络应用程序将仅由该管理员帐户使用
在我对StackOverflow的研究中,我发现大多数事情都在谈论"Google Apps域范围的授权"(
In my research on StackOverflow, I found most things talking about "Google Apps Domain-Wide Delegation of Authority" (https://developers.google.com/admin-sdk/directory/v1/guides/delegation), but I never used this when it worked before. And I would like to avoid this.
您是否知道为什么即使只是在文档中测试请求并且我使用的是Super-Admin帐户时,Web应用程序仍会出现此403错误?
Do you have an idea why I get this 403 error with the web app even though it works when just testing the request in the documentation and I'm using a Super-Admin account ?
我现在基于此要旨 https://gist.github.com/MeLight/1f4517560a9761317d13ebb2cdc670d3 ,仅此代码段即可正常工作.但是,在我的应用程序中使用它时,仍然出现403错误.我发疯了,可能是权限问题?
I've now tested a simple snippet with "Google Apps Domain-Wide Delegation of Authority" based on this gist https://gist.github.com/MeLight/1f4517560a9761317d13ebb2cdc670d3 and the snippet alone works. However, when using it inside my app, I still get the 403 error. I'm getting insane, what could be the permission issue?
最后,将我的头撞到墙上后,我发现了问题所在:用于获取组成员的 groupKey https://www.googleapis.com/admin/directory/v1/groups/groupKey/members 具有尾随空格.
Finally, after knocking my head against the wall, I found what was the problem:
the groupKey used to get the members of a group https://www.googleapis.com/admin/directory/v1/groups/groupKey/members had a trailing whitespace.
是的,仅此而已.我只需要剥离代码中的字符串(Python中的一行)就可以了.
Yes, that's all. I just had to strip the string in the code (one line in Python) and it all went well.
我所做的一切,都是在寻找权限/客户端ID/授权授权,似乎是胡闹.
All I did, searching for permissions / client ID / Delegation of Authority was for nuts it seems.
严重的是,Google API的403错误未授权访问此资源/api"可能更明显.
Seriously, the 403 error "Not Authorized to access this resource/api" of Google's API could have been more explicit.