我尝试使用 C# 和 google-admin-directory_v1-rev24-csharp-1.7.0-beta 客户端库创建用户,但是我不断遇到异常:
Google.GoogleApiException was unhandled
HResult=-2146233088
Message=Google.Apis.Requests.RequestError
Not Authorized to access this resource/api [403]
Errors [
Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]
Source=Google.Apis
ServiceName=admin
StackTrace:
at Google.Apis.Requests.ClientServiceRequest`1.Execute() in c:\code\google.com\google-api-dotnet-client\default\Tools\Google.Apis.Release\bin\Debug \output\default\Src\GoogleApis\Apis\Requests\ClientServiceRequest.cs:line 102
at ConsoleApplication1.Program.Main(String[] args) in c:\Users\darin.BASEHEX\Documents\Visual Studio 2013\Projects \ConsoleApplication1\ConsoleApplication1\Program.cs:line 55
at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
InnerException:
我首先在开发人员控制台中创建一个项目,在 API 设置页面下打开 ADMIN SDK,在凭据页面下创建一个服务帐户并下载 p12.key 证书,填写同意屏幕并然后我转到管理控制台上的“安全”页面,选择“高级”选项卡,选择“管理第三方 OAuth 客户端访问”,从我创建的服务帐户中粘贴客户端 ID,并分配范围 https://www.googleapis.com/auth/admin.directory.user/ 。异常正在线上引发:
User results = service.Users.Insert(newuserbody).Execute();
完整的 C# 程序如下。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography.X509Certificates;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Admin.Directory.directory_v1.Data;
using Google.Apis.Services;
namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{
String serviceAccountEmail = "A bunch of alpha <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0e607b636b7c676d7d4e6a6b786b62617e6b7c20697d6b7c78676d6b6f6d6d617b607a206d6163" rel="noreferrer noopener nofollow">[email protected]</a>";
var certificate = new X509Certificate2(@"key.p12", "notasecret", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
Scopes = new[] { DirectoryService.Scope.AdminDirectoryUser },
User = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="afcecbc2c6c1efc2d6cbc0c2cec6c181ccc0c2" rel="noreferrer noopener nofollow">[email protected]</a>" <-------- Added ADMIN User to fix
}.FromCertificate(certificate));
// Create the service.
var service = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "User Provisioning",
});
User newuserbody = new User();
UserName newusername = new UserName();
newuserbody.PrimaryEmail = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7e1c1c1f1d11103e13071a11131f1710501d1113" rel="noreferrer noopener nofollow">[email protected]</a>";
newusername.GivenName = "Bob";
newusername.FamilyName = "Bacon";
newuserbody.Name = newusername;
newuserbody.Password = "iambacon";
User results = service.Users.Insert(newuserbody).Execute();
Console.WriteLine("Press any key to continue!");
Console.ReadKey();
}
}
}
我觉得这是我所缺少的非常简单的东西,但是我已经没有任何关于该看什么的想法了。任何帮助将不胜感激!
最佳答案
您的服务帐户似乎没有冒充此通话中的任何用户。当您想使用服务帐号创建新用户时,您需要冒充管理员帐号(注意:只有管理员才能创建用户)。
查看此域范围授权的云端硬盘示例:
https://developers.google.com/drive/delegation
您可以看到,对于 .net 部分,它有以下额外的行:
ServiceAccountUser = 用户电子邮件
您需要创建一个由服务帐户授权的服务对象,该服务帐户将代表给定用户进行操作。
关于google-admin-sdk - Google Admin SDK 无法创建用户 - 异常 403 禁止,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20956767/