Receiving Insufficient Permission error from DirectoryService
Solution 1
2 options:
- You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
- Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.
Please update this thread if one of these options worked or something else is still missing for you.
Solution 2
Scopes
It appears that you are trying this Quickstart:
However, the scope(s) used in that tuturoial are:
new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };
However, in the code your posted code you have:
new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
Tokens
After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)
\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user
Enable APIs
Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)
VaultBoy14
Updated on June 09, 2022Comments
-
VaultBoy14 almost 2 years
I am trying to setup c# code to manage our Google domain.
I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.
Google.Apis.Requests.RequestError Insufficient Permission [403] Errors [ Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global] ]
I followed all the instructions on the OAuth setup. The account I am using is a domain admin.
The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.
Below is my code for querying users, is there anything I am missing?
static void Main(string[] args) { var applicationName = "App Project Name"; var userName = "[email protected]"; var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com"; UserCredential credential; using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read)) { credential = GoogleWebAuthorizationBroker.AuthorizeAsync( GoogleClientSecrets.Load(stream).Secrets, new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser }, userName, CancellationToken.None, null).Result; } var service = new DirectoryService(new BaseClientService.Initializer() { ApplicationName = applicationName, HttpClientInitializer = credential }); var list = service.Users.List(); var users = list.Execute(); } }