Insufficient Permission: Request had insufficient authentication scopes in google directory API when logging through admin

4
votes

I'm using google admin directory API to get all accounts public information using following API https://www.googleapis.com/admin/directory/v1/users

here is link for this api link when I logged in using g suite domain account let say [email protected] with non administrative user this api works fine and fetch the data of all accounts in array but When I call this API by logging in as admin it gives me following error /

Insufficient Permission: Request had insufficient authentication scopes

why its happening Im using same auth and API key for both users
my code is here 

const token =localStorage.getItem('token')
 fetch(`https://www.googleapis.com/admin/directory/v1/users? 
 domain=${domain.url}&viewType=domain_public&key=${apiKey.key}`  
  ,{ headers: {
'authorization': 'Bearer '+token
  },})

  .then(response => response.json())
  .then(data => this.setState({ users:data.users }));

token is coming from this module npm react google login google sign in button

2
reactjsgoogle-admin-sdkgoogle-directory-api
Hello @Asad, what scopes did you use for the request? Moreover, did you use any parameters for the request? - ale13
Scope is set by default like first im logining with google auth then im sending two params view_type and domain here you can look developers.google.com/admin-sdk/directory/v1/reference/users/… @ale13 - Asad
im sending my domain name domain.com and view_type = domain_public for non admin user - Asad
with access token in header like this bearer xxxxx xxx is access token @ale13 - Asad
Hello @Asad, how are you calling the API? What are you getting if you are using the OAuth 2.0 Playground with the same parameters as above? Cheers! - ale13

2 Answers

2
votes

It seems that the issue you are encountering is related to the way you are using the access token, more precisely in the way you use the scopes for the admin account in relation to the access token you have.

If the scopes you want to use with the two accounts don't match entirely, you will need to get another access token when you use the admin account.

So in order to solve your issue, you will have to get a new access token for the scopes you will be using for the admin account. You can declare them like this:

const SCOPES = ['https://www.googleapis.com/auth/admin.directory.user.readonly' 'OTHER_SCOPE_1' 'OTHER_SCOPE_2'...];

Same goes for the non-admin account; if the scopes don't match entirely, declare them like above and get another access token which will be the one matching them.

Reference

0
votes

with the help of @ale13 I came to know that I need to add scopo in react-module react google login

so I added following scope

https://www.googleapis.com/auth/admin.directory.user

and I still don't know how this works for non admin user without adding scope