2
votes

I am trying to set up the service account and domain-wide authority. I have successfully created service account and also delegated the domain-wide authority.

I have enabled all required scopes for the service account: Required scopes

In a code I am able to operate with the our domain users's calendar or mails but not drive.

I am running following code:

public static readonly string[] REQUIRED_PERMISSIONS =
{
   CalendarService.Scope.Calendar,
   "https://www.google.com/m8/feeds/contacts",
   TasksService.Scope.Tasks,
   DriveService.Scope.Drive,
   DriveService.Scope.DriveAppsReadonly,
   DriveService.Scope.DriveFile,
   DriveService.Scope.DriveAppdata,
   DriveService.Scope.DriveMetadataReadonly,
   DriveService.Scope.DriveReadonly,
   GmailService.Scope.MailGoogleCom
};

var cred = new ServiceAccountCredential(new ServiceAccountCredential.Initializer("user.iam.gserviceaccount.com")
{
    Scopes = REQUIRED_PERMISSIONS,
    User = "test@domain"
}.FromPrivateKey(@"privatekey"));

var mailService = new GmailService(new BaseClientService.Initializer()
{
    HttpClientInitializer = cred,
    ApplicationName = ApplicationName,
});

var result = mailService.Users.GetProfile("me");

var resultFetch = result.Execute();

I get error Google.Apis.Auth.OAuth2.Responses.TokenResponseException: 'Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.", Uri:""'

I know that I am using GMail request however, that's just for "test connection" later on drive request will be used

When I remove the Drive related scopes all is working - however that's not solution.

I have:

  1. Domain-wide authority enabled
  2. I have service account created
  3. I have Drive API enabled

I have tried also these questions: Access Domain wide Google Drive data with ServiceAccount Actor user Failure of delegation of Google Drive access to a service account

1

1 Answers

0
votes

Your issue is due to the fact that you are using too many scopes and they are overlapping their authority. What I mean is that DriveService.Scope.Drive will permit you to do any action (read/ create/write/ delete), meanwhile DriveService.Scope.DriveAppsReadonly will only allow you to do read operations (get/list), for that reason it will take away from you the permissions you set beforehand.

I would recommend you to use only the DriveService.Scope.Drive scope for testing purposes and then restrict more the permissions as you feel needed. Also, don't forget to change the Scopes in your Manage API client access.

You can check all the Drive API Scopes HERE.