Google Directory API: Unable to access User/Group endpoints using Service Account (403)

0
votes

I am trying to verify members of groups using the Google Directory API and cannot get past a 403 error every time I make the request.

I am using a service account, which I have enabled the "Enable G Suite Domain-wide Delegation" option for. I have also added the "https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group" Scopes using the Client ID within Suite under, "Manage API Client Access"

Code wise, I am using Node for this, and the google supplied googleapis package from NPM.

The external JSON file is the JSON credentials file downloaded when I created the service user.

Here's the code of me trying to get the request.

import { google } from 'googleapis';

async function getGroupUsers(){
const auth = await google.auth.getClient({
    keyFile: './src/jwt.keys.json',
    scopes: [
      'https://www.googleapis.com/auth/admin.directory.group',
      'https://www.googleapis.com/auth/admin.directory.group.member',
    ],
  });
  const admin = google.admin({
    version: 'directory_v1',
    auth,
  });

  const res = await admin.groups.get({
    groupKey: '[email protected]',
  });
  console.log(res)
}

I can't see any obvious reason this isn't working, as I can't see how the user doesn't have permission to the resource?

Obviously missing something obvious here, as the google documentation for this is all over the shop sadly.

Help greatly appreciated!

Thanks

Gareth

1
node.jsgoogle-apigoogle-workspace

1 Answers

0
votes

Ok after much banging of head and googling I finally for there with this, final working code is as follows, not the inclusion of the client.subject value, which has to be an administrator for the domain in question.

async function validateToken(idToken) {

  const keys = JSON.parse(GOOGLE_CREDS);

  const client = auth.fromJSON(keys);

  client.scopes = [
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.group',
  ];

  client.subject = '[email protected]';

  const admin = google.admin({
    version: 'directory_v1',
    // auth,
    auth: client,
  });

  const res = await admin.groups.list({
    domain: 'redacted',
    userKey: email,
  });

  const { groups } = res.data;
  let role = '';

  // Check for user role
  if (containsGroup(USER_GROUP, groups)) {
    role = USER_GROUP;
  }

  // Check for admin role
  if (containsGroup(ADMIN_GROUP, groups)) {
    role = ADMIN_GROUP;
  }

  // Not an admin or user so return unathenticated
  if (role === '') {
    return authResponse();
  }

  return successResponse({
    'X-Hasura-User-Id': userid,
    'X-Hasura-Email': email,
    'X-Hasura-Role': role,
    'X-Hasura-Groups': groups.map(group => group.id),
    'Cache-Control': 'max-age=600',
  });
}