How to authorise a service account to access the Google Admin API

问题

We are trying to create an integration with the Google Admin SDK in order to be able to retrieve, update and create accounts within our domain. However, we keep receiving a 403 error indicating that we are not authorized to access the resource/api.

We are using the credentials obtained from a service account which has Domain-wide Delegation of Authority enabled and the following two scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user. We are generating the JWT (which also includes these two scopes) and then sending a request to https://www.googleapis.com/oauth2/v4/token to retrieve the access token.

We are then using the access token to send a request to https://www.googleapis.com/admin/directory/v1/users?domain=XXXX.com. We are including the access token as a Bearer token, part of the headers. In the response we are getting the following message:

{
    "error": {
        "errors": [
            {
                "domain": "global",
                "reason": "forbidden",
                "message": "Not Authorized to access this resource/api"
            }
        ],
        "code": 403,
        "message": "Not Authorized to access this resource/api"
    }
}

Is it possible to clarify what are we doing incorrectly?

回答1:

In order for this to work you must set up domain wide delegation by doing this your service account will then have access to the data in question.

1. Locate the newly-created service account in the table. Under Actions, click more_vert then Edit.
2. In the service account details, click expand_more Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
3. If you haven't yet configured your app's OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
4. Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID, to obtain and make a note of the client ID.

回答2:

The problem was that the JWT must include the sub field: The email address of the user for which the application is requesting delegated access.

来源：https://stackoverflow.com/questions/57772484/how-to-authorise-a-service-account-to-access-the-google-admin-api