ArgumentException: Precondition failed.: !string.IsNullOrEmpty(authorization.RefreshToken) with Service Account for Google Admin SDK Directory access

Question

I'm trying to access the Google Directory using a Service Account. I've fiddled with the DriveService example to get this code:

public static void Main(string[] args)
{
    var service = BuildDirectoryService();

    var results = service.Orgunits.List(customerID).Execute();
    Console.WriteLine("OrgUnits");
    foreach (var orgUnit in results.OrganizationUnits)
    {
        Console.WriteLine(orgUnit.Name);
    }

    Console.ReadKey();
}

static DirectoryService BuildDirectoryService() 
{
    X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret",
        X509KeyStorageFlags.Exportable);

    var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate)
    {
        ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
        Scope = DirectoryService.Scopes.AdminDirectoryOrgunit.GetStringValue()
    };

    var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);

    return new DirectoryService(new BaseClientService.Initializer()
    {
        Authenticator = auth,
        ApplicationName = "TestProject1",
    });
}

When I run it, I get

ArgumentException: Precondition failed.: !string.IsNullOrEmpty(authorization.RefreshToken)

I'm going round in circles in the Google documentation. The only stuff I can find about RefreshTokens seems to be for when an individual is authorizing the app and the app may need to work offline. Can anyone help out or point me in the direction of the documentation that will, please.

Answer 1

The above code will work if you replace the provider block with:

var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate)
{
    ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
    Scope = DirectoryService.Scopes.AdminDirectoryOrgunit.GetStringValue(),
    ServiceAccountUser = SERVICE_ACCOUNT_USER //"my.admin.account@my.domain.com"
};

I had seen this in another post and tried it with my standard user account and it didn't work. Then I read something that suggested everything had to be done with an admin account. So, I created a whole new project, using my admin account, including creating a new service account, and authorising it. When I tried it, it worked. So, then I put the old service account details back in but left the admin account in. That worked, too.

Answer 2

Service Account authorization actually do not return Refresh Token - so this error makes sense. Do you know where this is coming from?

I am not too familiar with the .NET client library but having the full error trace would help.

As a longshot - The error might be a bad error -

• Can you confirm that you've enabled the Admin SDK in the APIs console for this project
• Can you confirm that you whitelisted that Client ID for the service account in the domain you are testing with (along with the Admin SDK scopes)