Google Apps Admin API:需要为服务帐户指定帐户用户吗?
问题描述:
我正在创建一个应该能够读取域的所有用户的Marketplace应用程序。我请求访问这些范围:
I'm creating a Marketplace App that should be able to read all the users of a domain. I request access to these scopes:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/admin.directory.user.readonly
当访问通用导航扩展时会发生这种情况:
Then when the 'Universal Navigation Extension' is accessed this happens:
Credential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(SERVICE_MAIL)
.setServiceAccountScopes(Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY))
.setServiceAccountPrivateKey(privateKey)
.build();
Directory oauth2 = new Directory.Builder(httpTransport, jsonFactory, null)
.setHttpRequestInitializer(credential)
.build();
Directory.Users.List list = oauth2.users().list();
list.setDomain(queryParams.getString("domain"));
Users users = list.execute();
当我运行它时会返回此错误:
When I run this it returns this error:
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Not Authorized to access this resource/api",
"reason" : "forbidden"
} ],
"message" : "Not Authorized to access this resource/api"
}
但是,当我添加:
Credential credential = new GoogleCredential.Builder()
.setServiceAccountUser("<admin-account>@<domain>")
...
它有效!
但我怎么知道管理员的电子邮件地址?
我可以在没有电子邮件地址的情况下使其工作吗?
答
否。您必须拥有并知道允许执行您想要的帐户的电子邮件地址(通常是superadmin)。
No. You must have and know the email address of an account allowed to do what your want (typically a superadmin).
我同意某些API要求它是非常荒谬的这(管理员,目录等)。
I agree that it is quite absurd for some APIs to require this (Admin, Directory, etc.).