Access Google Directory API from a Marketplace App using 2lo

Question

I've spent the past couple of days trying to access Google's Directory API in Ruby but haven't been able to get it working. According to this document the Directory API can be authorized using 2lo:

If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key. You can find your application's API key in the Google APIs Console, in the Simple API Access section of the API Access pane.

I currently have working code that can access the Provisioning API using 2lo. From the documentation it sounds that I can use this same code to access the Directory API by just adding an API access key parameter to the request and enabling a few permissions. However, it's not working and I have no idea why.

Here is the request code:

def self.get_user2(email)
  @client = Google::APIClient.new(:authorization => :two_legged_oauth_1)
  @client.authorization.client_credential_key = GOOGLE_APP_KEY
  @client.authorization.client_credential_secret = GOOGLE_APP_SECRET
  @directory = @client.discovered_api('admin', 'directory_v1')
  result = @client.execute(
    @directory.users.get, 
    'userKey' => email,
    :key => GOOGLE_API_KEY
  )
  JSON.parse(result.body)
end

This gets me the response:

{
  "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "authError",
    "message": "Invalid Credentials",
    "locationType": "header",
    "location": "Authorization"
   }
  ],
  "code": 401,
  "message": "Invalid Credentials"
 }
}

I've added the required scope to my manifest file,

<Scope id="usersAPI">
  <Url>https://www.googleapis.com/auth/admin.directory.user.readonly</Url>
  <Reason>See all users in your company.</Reason>
</Scope>

and also enabled the Admin SDK for my project in the API console.

Here is the log output after adding Faraday.default_connection.response :logger to my development.rb file:

get https://www.googleapis.com/admin/directory/v1/users/brian@crushing.mygbiz.com?key=AIzaSyAHYBWlC_qiihRtTKTZleZlAw2ts8Q1WO8
User-Agent: "google-api-ruby-client/0.6.4 Mac OS X/10.8.4"
Authorization: "OAuth oauth_consumer_key=\"76548528623.apps.googleusercontent.com\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=\"1375899810\", oauth_nonce=\"de4d976eed6883a06b3f6084e3dd0db4\", oauth_version=\"1.0\", oauth_signature=\"3D7aqhBeaCYOYyaF8bWpaM9MA8U%3D\""
Cache-Control: "no-store"
Content-Type: "application/x-www-form-urlencoded"
401
www-authenticate: "AuthSub realm=\"https://www.google.com/accounts/AuthSubRequest\""
content-type: "application/json; charset=UTF-8"
date: "Wed, 07 Aug 2013 18:23:30 GMT"
expires: "Wed, 07 Aug 2013 18:23:30 GMT"
cache-control: "private, max-age=0"
x-content-type-options: "nosniff"
x-frame-options: "SAMEORIGIN"
x-xss-protection: "1; mode=block"
server: "GSE"
connection: "close"

After searching the internet for the past day I am out of ideas for why this isn't working. Ideas anyone?

Answer 1

It turns out I was missing the 'xoauth_requestor_id' field. Thanks to sqrrrl for answering my question on github