Gsuite Marketplace App WebServer App + Service Account

2
votes

As per the documentation for

GSuite Marketplace Apps OAuth WebServer App + Offline access

WebServer App can be granted Domain access by an admin of a domain through OAuth. For further domain users impersonation a Service account can be used.

In my setup i have

  1. WebServer App with Admin + Gmail + Marketplace SDK + Marketplace API enabled.

  2. WebServer apps credentials are available.

  3. Service account with domain wide delegation and credentials are available.

For the steps

  1. Getting authorize urls for Webserver client id works
  2. Access token is gained
  3. All scopes are mentioned for access in these.
  4. Admin API lets me list all users
  5. Service account with its credentials call fails.

5 = This steps results in error "oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method."

Domain wide delegation is enabled on this as well

On changing credentials from Service account generated json to Service Client it doesn't recognise the credentials

Removing a step of 

serviceclient.create_delegate('user@example')

from code, results in error 'Delegation denied for [email protected]"''

1
oauthgoogle-admin-sdkgoogle-apps-marketplaceservice-accountsgoogle-workspace

1 Answers

0
votes

What is the documentation you are referring to?

Once you have a service account enabled for domain wide delegation, an admin should delegate authority to the service account before you can obtain credentials using that service account: https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account