質問
I want to make an insert authorized request. According to API Explorer I need the following scopes:
In code it would look like this:
https://stackoverflow.com/questions/22764446
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian
{
...
, scopes": [
"https://www.googleapis.com/auth/admin.directory.group"
, "https://www.googleapis.com/auth/admin.directory.group.member"
]
}
I have a pem file that use for JWT authentication. Let's look at the code:
// dependencies
var Assert = require('assert')
, GoogleApis = require('googleapis')
, authData = require("./authData")
;
// output
console.log("Auth data is: ", authData);
// set jwt data
var jwt = new GoogleApis.auth.JWT(
authData.email
, authData.keyFile
, authData.key
, authData.scopes // my scopes
, "ionica.bizau@example.com"
);
// authorize
jwt.authorize(function (err, data) {
// output error
if (err) {
console.log("Error: ", err);
return;
}
/* run authorized requests */
});
I get the following error:
{
error: 'access_denied',
error_description: 'Requested scopes not allowed: https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member'
}
Why am I getting this error?
解決
While impersonating an Apps user with a service account, you need to explicitly give grants to the service account for the required scopes. This is how admins can limit what service accounts can do on the behalf of the actual user.
Google Drive API docs summarizes the steps on https://developers.google.com/drive/web/delegation#delegate_domain-wide_authority_to_your_service_account
