Can't list users with Google Directory API Admin SDK

c# google-api google-admin-sdk google-api-dotnet-client

10,134

Solution 1

As described on the page:

Manage API client access

Developers can register their web applications and other API clients with Google to enable access to data in Google services like Calendar. You can authorize these registered clients to access your user data without your users having to individually give consent or their passwords. Learn more

The service account needs to act on behave of a user, so when initializing the client the ServiceAccountUser needs to be assigned.

    var provider = new AssertionFlowClient(
        GoogleAuthenticationServer.Description,
        new X509Certificate2(privateKeyPath, keyPassword, X509KeyStorageFlags.Exportable))
        {
            ServiceAccountId = serviceAccountEmail,
            Scope = AdminService.Scopes.AdminDirectoryUser.GetStringValue(),
            ServiceAccountUser = domainManangerEmail
        };

Edit: AssertionFlowClient is deprecated, the following should work:

var cert = new X509Certificate2(privateKeyPath, keyPassword, X509KeyStorageFlags.Exportable);
var serverCredential = new ServiceAccountCredential(
    new ServiceAccountCredential.Initializer(serviceAccountEmail)
        {
            Scopes = new []{DirectoryService.Scope.AdminDirectoryUser},
            User = domainManagerAccountEmail
        }.FromCertificate(cert));
var dirService = new DirectoryService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = serverCredential
        });

Solution 2

This code works for me

static void GettingUsers()
{ 
  String serviceAccountEmail = "[email protected]";
  var certificate = new X509Certificate2(@"xxxxx.p12", "notasecret", X509KeyStorageFlags.Exportable);
  ServiceAccountCredential credential = new ServiceAccountCredential(
  new ServiceAccountCredential.Initializer(serviceAccountEmail)
  {
  Scopes = new[] { DirectoryService.Scope.AdminDirectoryUser},
  User = "your USER",  
  }.FromCertificate(certificate));
  var service = new DirectoryService(new BaseClientService.Initializer()
  {
  HttpClientInitializer = credential,
  ApplicationName = "name of your app",
  });

  var listReq = service.Users.List();
  listReq.Domain = "your domain";
  Users allUsers = listReq.Execute();
  int counter = 0;
  foreach(User myUser in allUsers.UsersValue){
    Console.WriteLine("*" + myUser.PrimaryEmail);
     counter++;
}

Console.WriteLine(counter);
Console.ReadKey();

For more information, Please take a look in Directory API: Users list. There are Limits and Quotas.

Solution 3

We will need to give the service ID that we are using the super admin or the right privileges to get pass this error.

Hope this helps. -Venu Murthy

10,134

zhywu

Updated on June 04, 2022

Comments

zhywu almost 2 years

I'm trying to use the AdminService to manage my domain's users and groups, but I'm stuck with a simple request to get all the users of my domain. There is the code in C#:

public Users GetAllUsers()
{
    var provider = new AssertionFlowClient(
        GoogleAuthenticationServer.Description,
        new X509Certificate2(privateKeyPath, keyPassword, X509KeyStorageFlags.Exportable))
    {
        ServiceAccountId = serviceAccountEmail,
        Scope = AdminService.Scopes.AdminDirectoryUser.GetStringValue()
    };

    var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);

    m_serviceGroup = new AdminService(new BaseClientService.Initializer()
    {
        Authenticator = auth,
    });

    var request = m_serviceUser.Users.List();
    request.Domain = m_domainName;
    return request.Fetch();
}

I'm getting an exception when Fetch() that says:

Code: 403    
Message: Not Authorized to access this resource/api 
Error: {Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]}

I've followed the instructions here to have enabled API access, and also authorized my service account in domain control panel:

[Security]->[Advanced Setting]->[Authentication]->[Manage third party OAuth Client access]

with scopes:

https://www.googleapis.com/auth/admin.directory.group 
https://www.googleapis.com/auth/admin.directory.user

Admin SDK Service is also enabled in API control panel.

I tried the code to use the DriveService and successfully listed/created/deleted files without any problem, so the authentication part of the code should be alright. I couldn't figure out what else needs to be configured or if there is any other problems with my code.

Thanks for any help.

JDPeckham over 10 years

This doesn't work for me, when I add ServiceAccountUser (who is a domain super user) it then errors out with: Protocol Exception: Error occurred while sending a direct message or getting the response. The underlying oauth response is: 1f { "error" : "access_denied" } 0
JDPeckham over 10 years

Found my answer... 2LO is required. developers.google.com/drive/…
DFTR over 9 years

Am I crazy? AssertionFlowClient is not installed in any nuget installation of google API's I can find.
Ody almost 8 years

I did exactly as the above but got Error:"unauthorized_client", Description:"Unauthorized client or scope in request.", Uri:"" instead.. any ideas
zhywu almost 8 years

@Ody, have you enabled the API access and granted permissions to the account that you are using?