As per the documentation for
GSuite Marketplace Apps OAuth WebServer App + Offline access
WebServer App can be granted Domain access by an admin of a domain through OAuth. For further domain users impersonation a Service account can be used.
In my setup i have
WebServer App with Admin + Gmail + Marketplace SDK + Marketplace API enabled.
WebServer apps credentials are available.
Service account with domain wide delegation and credentials are available.
For the steps
- Getting authorize urls for Webserver client id works
- Access token is gained
- All scopes are mentioned for access in these.
- Admin API lets me list all users
- Service account with its credentials call fails.
5 = This steps results in error "oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method."
Domain wide delegation is enabled on this as well
On changing credentials from Service account generated json to Service Client it doesn't recognise the credentials
Removing a step of
serviceclient.create_delegate('user@example')
from code, results in error 'Delegation denied for [email protected]"''