Google Apps Email Settings API and oauth2.0 Credential with service account

Question

I'm trying to use Oauth 2.0 Google Credential with service account in java to edit user signature but i receive that error:

com.google.gdata.util.ServiceForbiddenException: OK
<HTML><HEAD><TITLE>You are not authorized to access this API.</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>You are not authorized to access this API.</H1><H2>Error 403</H2></BODY></HTML>

I have created a piece of code to use GoogleCredential object with service account email in this mode:

  HttpTransport httpTransport = new NetHttpTransport();
  JacksonFactory jsonFactory = new JacksonFactory();
  Collection<String> clist= new ArrayList<String>(
            Arrays.asList("https://apps-apis.google.com/a/feeds/emailsettings/2.0/",                    "https://www.googleapis.com/auth/admin.directory.user" 
                    ));
  GoogleCredential gc=null;
try {
    gc = new GoogleCredential.Builder().setTransport(httpTransport)
      .setJsonFactory(jsonFactory)
      .setServiceAccountId(c.getServiceAccountEmail())
      .setServiceAccountScopes(clist)
      .setServiceAccountPrivateKeyFromP12File(new java.io.File(c.getPkcs12FileName()))
      .build();
} catch (GeneralSecurityException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
} catch (IOException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}
  this.setOAuth2Credentials(gc);

I have inserted the scopes in the domain Google Apps for Business panel for the service account and in the console project i have enabled Admin sdk API.

Why i receive that i'm not authorized? I'm allowed to use Oauth 2.0 instead of unsername and password of the admin like in this code?

https://developers.google.com/admin-sdk/email-settings/#manage_signature_settings

Why there isn't an official gmail settings service that is not a appsforyoudomainservice used for sample?Oauth 2.0 with service account it's supported?

Thank you

Answer 1

You've granted the service account rights to act on behalf of your users. Now the service account needs to act as a user in your domain with rights to perform signature updates for all users, in other words, it needs to act as a super admin. Try adding:

.setServiceAccountUser(userEmail)

where userEmail is the email address of a super admin within your Google Apps instance. A good walkthrough for this is in the Admin SDK documentation.