How to create a Google calendar event for non-workspace-google account, if the event was created through Service Account(Google Calendar API)?

1
votes

I am able to create an event in Google Calendar using Service account and Google Calendar API, where Project and Service Account is created in Google Workspace admin account and in the same account, I have enabled domain-wide delegation property. I haven't created separate calendar and haven't given access to Service account. If I use my workspace-google account in createDelegated(), with this event is getting created in '[email protected]' calendar and 'created by' property is also the same for every attendee I have added.

GoogleCredentials googleCredentials = GoogleCredentials
                    .fromStream(new FileInputStream(CREDENTIALS_FILE_PATH)).createScoped(SCOPES)
                    .createDelegated("[email protected]");

So my question is what if I need to create event for non-workspace google account(lets say [email protected])

Can I pass '[email protected]' into the createDelegated()? If I do, I am getting,

Error getting access token for service account: 400 Bad Request

So how to create event for non-workspace google account?

Note : App type is still 'Internal' in OAuth consent screen.

Could someone explain what am I missing here?

2
google-apigoogle-calendar-apiservice-accountsgoogle-api-java-client

2 Answers

0
votes

A service account with domain-wide delegation can only be used for domains

A Google Workspace account is a domain, a personal consumer account is not a domain.

Consequently, you can not perform a request on behalf of a consumer account user via a service account.

Instead, you would need to create the event directly as [email protected] similar to the documentation sample.

0
votes

No you can only delgate to an account on your domain

createDelegated("[email protected]");

You can not delgate to a standard google account as there would be no way for you to configure the permissions

perform-google-workspace-domain-wide-delegation-of-authority

Perform Google Workspace Domain-Wide Delegation of Authority

Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the Google Workspace Terms of Service.

Owner vs attendee.

A service account properly delegated. Will have permission to create an event on behalf of a user in the domain that they have been delegated permission.

Example: I have delegated permission to my service account to user [email protected]. For all intensive purposed the service account now has all permissions of User1. So the service account can create a new event on behalf of user1 and invite anyone to the event they choose.

As there is no way to set up deligation to [email protected] there is no way for the service account to act like this user as it is a standard gmail user.

The only way for an application to create an event on behalf of [email protected] would be to use Oauth2 and request consent of [email protected] to access their private data. Then the application would be able to create a new event on behalf of [email protected].

Remember this is creating an event. There is nothing stopping the service account delegated as [email protected] from inviting [email protected] to the event. [email protected] will then be notified that they have been invited to the event they can then decide if they want to attend or not if they accept it then it will appear in their google calendar account. Notice how [email protected] had to manually accept this. [email protected] did not have to manually accept that the event was created in their google calendar as the service account was acting on their behalf.