Receiving Insufficient Permission error from DirectoryService

13,226

Solution 1

2 options:

  1. You didn't include the right Scope. Are you sure that DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser are enough?
  2. Did you enable the API in the Console? More information is available at: https://developers.google.com/api-client-library/dotnet/get_started#auth, Look for your project in https://console.cloud.google.com/project and make sure that you enabled the Directory Admin API.

Please update this thread if one of these options worked or something else is still missing for you.

Solution 2

Scopes

It appears that you are trying this Quickstart:

However, the scope(s) used in that tuturoial are:

new [] { DirectoryService.Scope.AdminDirectoryUserReadonly };

However, in the code your posted code you have:

new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },

Tokens

After you change your scopes (shown above), you may have to delete your OAuth2 token, and then re-authorize access for your application. (Unless you haven't done the "authorize access" step yet.)

enter image description here

\token.json\Google.Apis.Auth.OAuth2.Responses.TokenResponse-user

Enable APIs

Also, as I think you already discovered, enabling the Directory API is different process than enabling the Gmail API (and found at different URLs)

Enable Directory API

enter image description here

Enable Gmail API

enter image description here

Share:
13,226
VaultBoy14
Author by

VaultBoy14

Updated on June 09, 2022

Comments

  • VaultBoy14
    VaultBoy14 almost 2 years

    I am trying to setup c# code to manage our Google domain.

    I am receiving this error whenever I call service.Users.List() or any other method from the DirectoryService api.

    Google.Apis.Requests.RequestError
    
    Insufficient Permission [403]
    
    Errors [
    
        Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
    
    ]
    

    I followed all the instructions on the OAuth setup. The account I am using is a domain admin.

    The clients secret file I am using works fine when I use it with GAM.exe to do the same operations. This is leading me to believe that i am doing something wrong in my code.

    Below is my code for querying users, is there anything I am missing?

            static void Main(string[] args)
        {
            var applicationName = "App Project Name";
            var userName = "[email protected]";
            var clientID = "clientIDfromAPIcredentialpageonconsole.developers.google.com";
    
            UserCredential credential;
    
            using (var stream = new FileStream("C:\\gam\\client_secrets.json", FileMode.Open, FileAccess.Read))
            {
                credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
                    GoogleClientSecrets.Load(stream).Secrets,
                    new[] { DirectoryService.Scope.AdminDirectoryOrgunit, DirectoryService.Scope.AdminDirectoryUser },
                    userName,
                    CancellationToken.None, null).Result;
            }
    
            var service = new DirectoryService(new BaseClientService.Initializer() 
                { 
                    ApplicationName = applicationName, 
                    HttpClientInitializer = credential 
                });
    
            var list = service.Users.List();
    
            var users = list.Execute();
        }
    }