I am trying to use the Google Admin Settings API with a service account without success from a C # console application.
From what I understood, I first need to get the OAuth token. I tried two methods for this: using Google.Apis.Auth.OAuth2.ServiceAccountCredentials or by manually creating a JWT statement.
But when I call the Admin API with the OAuth token (for example, the maximum number), I always get a 403 error with the message "You are not authorized to perform operations on the xxx domain."
I downloaded GAM , as the author calls this API too, so that I can compose the same HTTP requests. As described in the GAM wiki, I followed all the steps to create a new service account and a new OAuth client ID so that I can be sure that this is not a problem. I also activated the debug mode suggested by Jay Lee in this thread . As explained in the comments on the thread, it still does not work with my OAuth token, but the API call completed successfully using the OAuth GAM token.
So this seems to be related to the OAuth token itself. The problem that occurs when creating an OAuth token is that I cannot specify the "sub" property (or User for ServiceAccountCredentials). If I add it, I get a 403 Forbidden response with the requested client. as error_description when generating a token, that is, before calling the API. So maybe this is a problem, but I donβt see how to fix it, since I am using admin email.
Another possibility is that this API requires OAuth client credentials, because GAM requires two different types of credentials, a service account and an OAuth client. Since I can use the service account credentials in my project, I'm afraid I'm stuck if that is the case ...
I see no other options, and I'm stuck in both, so any help is appreciated. Thanks!
My code is:
public static string GetEnterpriseUsersCount() { string domain = MYDOMAIN; string certPath = System.Reflection.Assembly.GetExecutingAssembly().Location; certPath = certPath.Substring(0, certPath.LastIndexOf("\\") + 1) + "GAMCreds.p12"; var certData = File.ReadAllBytes(certPath); X509Certificate2 privateCertificate = new X509Certificate2(certData, "notasecret", X509KeyStorageFlags.Exportable); ServiceAccountCredential credential = new ServiceAccountCredential( new ServiceAccountCredential.Initializer(SERVICE_ACCOUNT_EMAIL) { Scopes = new[] { "https://apps-apis.google.com/a/feeds/domain/" }, User = ADMIN_EMAIL }.FromCertificate(privateCertificate)); Task<bool> oAuthRequest = credential.RequestAccessTokenAsync(new CancellationToken()); oAuthRequest.Wait(); string uri = string.Format("https://apps-apis.google.com/a/feeds/domain/2.0/{0}/general/maximumNumberOfUsers", domain); HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest; if (request != null) { request.Method = "GET"; request.Headers.Add("Authorization", string.Format("Bearer {0}", credential.Token.AccessToken));
Edit:. I focused on areas as Jay Lee recommended below, and it seems that the missing area was " https://www.googleapis.com/auth/admin.directory.domain . However, this is not written anywhere on the admin API settings documentation page At least I didnβt find it. ' Https://apps-apis.google.com/a/feeds/domain/ ' either, but I already added it to the list of allowed areas. Thanks, Jay!
Edit 2: I also updated the source code so that it can help in the future.