Access Denied, Requested scopes not allowed for Google Service Account

1
votes

Have created a project from google developer console and created a service account. Downloaded the key store. I need to use google admin sdk to create/delete/access users. I see the Admin SDK ON APIs&Auth->API. Not able to get authorized due to scope errors.

Sample Java Snippet

public boolean makeConnectionWithGoogleAPI(){

try{
           List<String> scopes = Arrays.asList("https://www.googleapis.com/auth/admin.directory.user",
                "https://www.googleapis.com/auth/admin.directory.user.readonly");

      HttpTransport httpTransport = new NetHttpTransport();
      JacksonFactory jsonFactory = new JacksonFactory();

      GoogleCredential credential = new GoogleCredential.Builder()
          .setTransport(httpTransport)
          .setJsonFactory(jsonFactory)
          .setServiceAccountId(clientEmail)
          .setServiceAccountUser(userId)
          .setServiceAccountScopes(scopes)
          .setServiceAccountPrivateKeyFromP12File(
              new java.io.File(privateKeyStoreLocation))
          .build();

      Directory admin =
          new Directory.Builder(httpTransport, jsonFactory, null)
          .setHttpRequestInitializer(credential).build();

      Directory.Users.List list = admin.users().list();
      Users users = list.execute();
      List<User> listUsers=users.getUsers();
      for(User user:listUsers){
          System.out.println(user.getId());
      }
      return true;
}catch(Exception e){
        e.printStackTrace();
}
  return false;
}

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request { "error" : "access_denied", "error_description" : "Requested scopes not allowed: https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.readonly" } at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105) at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)

3
google-admin-sdk
Yes this worked on adding the required scopes from Admin Console->Security->Advanced Settings->Manage Third Party Client OAuth. Need to specify Service Account clientId with the scopes. Click Authroize. In code use Client Email and also need to specify domain Directory.Users.List list = admin.users().list().setDomain(clientDomain);user3240209

3 Answers

6
votes

We had this problem - no where is this very clear on the Google documentation.

Your Client ID that you created for the API is what you enter for your Client Name on the API Scope listing.

Go here and enter your project. Establish the API's you wish to have access to: https://console.developers.google.com/project

Then on the Credentials tab on the left, you create your new OAuth Client ID / Name info.

You take the Client Name here and then go to you Apps Admin Security interface: https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients Or: Admin.google.com > then Security > Then Advanced > Then Manage OAuth Clients

Take the Client_ID you received in creating your project from the Developers Console, and assign that as your Client Name you wish to give access to the specific Scopes on your API Project.

For us, in any case, this is what solved our Access Denied Errors.

Shame on Google for not properly documenting this process. Took us 4 days to figure it out. We're a .net shop and even their NuGet packages had typo's, misspellings and missing resources. Very frustrating to not have so many of these steps better documented.

1
votes

I could not find the following option in the provided link. I spent more time on this.

https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients Or: Admin.google.com > then Security > Then Advanced > Then Manage OAuth Clients

Is there any updates on the google regarding this, please update if anyone has relevent information. find out my code below.

GoogleCredential credential = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
          .setJsonFactory(JSON_FACTORY)
          .setServiceAccountId("[email protected]")
          .setServiceAccountScopes(scopes)
          .setServiceAccountPrivateKeyFromP12File(new File("D:\\ref\\privatekey.p12"))
          .setServiceAccountUser("xxxxxxxxxxxxxxxxxxx")
          .build();
 Compute compute = new Compute.Builder(
          httpTransport, JSON_FACTORY, null).setApplicationName(APPLICATION_NAME)
          .setHttpRequestInitializer(credential).build();
Compute.Instances.List instances = compute.instances().list(projectId, zoneName);
    InstanceList list = instances.execute();

the error message is

403 Forbidden { "error" : "access_denied", "error_description" : "Requested scopes not allowed: https://www.googleapis.com/auth/compute" }

0
votes

I have same issue 403 access_denied and fix by follow action.

As mention by FurnGuy

https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients Or: Admin.google.com > then Security > Then Advanced > Then Manage OAuth Clients

Take the Client_ID you received in creating your project from the Developers Console, and assign that as your Client Name you wish to give access to the specific Scopes on your API Project.

enter image description here

Client name is your client ID which created from the developers console, and add the scope for an example https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.orgunit.readonly

you can separate it by comma, and then authorize it. you can try it in your localhost:8888