We are trying to create a publisher topic to provide a pub/sub channel to be notified when new messages arrive via REST.
We are using two C# API V 1.35.1 and Google PubSub V 1.0 Beta 20.
This works if we are registering the pub/sub for a developer account. But if we try to with a standard account it fails.
To create the topic we have these methods.
public PublisherServiceApiClient GetPublisher()
{
GoogleCredential cred = GoogleCredential.FromAccessToken(GmailCredentials.Token.AccessToken);
Channel channel = new Channel(PublisherServiceApiClient.DefaultEndpoint.Host,
PublisherServiceApiClient.DefaultEndpoint.Port, cred.ToChannelCredentials());
var settings = PublisherServiceApiSettings.GetDefault();
return PublisherServiceApiClient.Create(channel, settings);
}
public Topic CreateTopic()
{
var publisherService = GetPublisher();
var topicName = new TopicName(GmailProjectId, GMailVenueTopic);
Topic topic = publisherService.CreateTopic(topicName);
return topic;
}
The failure occurs at:
publisherService.CreateTopic(topicName);
with the exception
Grp.Core.RpcExcetion
and message:
“Status(StatusCode=PermissionDenied, Detail="User not authorized to perform this action.")”
These are the permissions requested at the time we logged in through oauth using the gmail authentication api.
GoogleWebAuthorizationBroker.AuthorizeAsync
These are the scopes that are added
public string GmailScopes => "https://mail.google.com/ " +
"https://www.googleapis.com/auth/gmail.compose " +
"https://www.googleapis.com/auth/gmail.insert " +
"https://www.googleapis.com/auth/gmail.modify " +
"https://www.googleapis.com/auth/gmail.send " +
"https://www.googleapis.com/auth/gmail.labels " +
"https://www.google.com/m8/feeds/ " +
"https://www.googleapis.com/auth/contacts" +
"https://www.googleapis.com/auth/contacts.readonly " +
"https://www.googleapis.com/auth/admin.directory.user " +
"https://www.googleapis.com/auth/admin.directory.group.member " +
"https://www.googleapis.com/auth/admin.directory.group " +
"https://www.googleapis.com/auth/gmail.readonly " +
"https://www.googleapis.com/auth/cloud-platform " +
"profile " + "email";
Q: Is there a missing scope that's required when we're using a standard account, not a developers account?
Q: Could this somehow be related to the C# API being in beta?
Note: These are additional comments ------------------------------------------
Let me explain what we are trying to do. To be sure that the approach we have taken is compatible with what the Gmail API provides?
Currently, we have a server application that has this workflow:
- Asks a mobile device to get their oauth token and sends it to our
server. - Create a thread where our server connects via IMAP using the
mobiles oauth token. - Uses the imap idle() to listen for new email events.
We are trying to replace this design, with a REST Based approach. We don’t want to spawn 100’s of threads each with an open sockets to IMAP.
From your answers we believe we would be required to do the following:
- From the projects owners account, add each customer’s account to our IAM with the role of Pub/Sub Subscriber
- From the end-users account, Login to gmail-api using the OAuth credentials and call “watch” every day to keep the subscription active.
The problems with this approach is:
- We are creating a SAS application. The users are not members of our organization.
- All of the user accounts will need to be added to our organization IAM with the role of Pub/Sub Subscriber
- We don’t see any api’s to allow us to add users to our IAM, we must go through the console.
Not sure were we are going wrong here. Thanks in advance for your feedback.
