问题描述

几天以来，我一直在尝试使服务帐户身份验证适用于Google Admin SDK，但无济于事.我正在使用从Google重新安装的google-api-python-client-1.2库.

我一直在关注Google关于该主题的文档.链接在这里:

htps://developers.google.com/accounts/docs/OAuth2ServiceAccount

htps://developers.google.com/api-client-library/python/guide/aaa_oauth

htp://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.client.SignedJwtAssertionCredentials-class.html

并运行task.py服务帐户示例，您可以在此处找到它:

htp://code.google.com/p/google-api-python-client/source/browse/samples/service_account/tasks.py?r = c21573904a2df1334d13b13b4380f63463c94c8d0e8

并且一直在这里与相关主题密切研究这两个Stack Overflow线程:

google admin sdk目录api 403 python

Google Admin API将Oauth2用于服务帐户(教育版)-403错误

并且已经研究了gam.py(Dito GAM)中的相关代码.

但是我仍然缺少一些东西，因为在几乎所有我写的测试案例中，我都收到了"oauth2client.client.AccessTokenRefreshError:access_denied"异常.

这是一个简单的测试身份验证示例:

 import httplib2
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

f = file('myKey.p12', 'rb')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(
    '[email protected]',
    key,
    sub='[email protected]',
    scope = ['https://www.googleapis.com/auth/admin.directory.user',])

http = httplib2.Http()
http = credentials.authorize(http)
service = build('admin', 'directory_v1', http=http)
 

运行上面的代码时，我得到了这个堆栈转储和异常:

Traceback (most recent call last):
  File "./test.py", line 17, in <module>
    service = build('admin', 'directory_v1', http=http)
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/apiclient/discovery.py", line 192, in build resp, content = http.request(requested_url)
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 475, in new_request
    self._refresh(request_orig)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 653, in _refresh
    self._do_refresh_request(http_request)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 710, in _do_refresh_request
    raise AccessTokenRefreshError(error_msg)
oauth2client.client.AccessTokenRefreshError: access_denied

我尝试了多个超级用户帐户，服务帐户和密钥，但总是以相同的异常结束.如果我在task.py示例中添加sub，则最终会出现相同的错误.用prn替换sub也会生成此异常，并且添加private_key_password ='notasecret'不会执行任何操作(这是默认设置). Admin SDK已在Google Developers Console中激活，并且目标帐户具有超级用户权限.这使我认为Google域方面缺少某些内容，但我想不出要检查的其他内容.

有人知道我在做什么错吗?

您是否已在管理控制台中为服务帐户授予了第三方客户端访问权限?

关于设置服务帐户的我要去做的指示是Google对Drive Api的指示.

https://developers.google.com/drive/web/delegation

查看将域范围的权限委派给您的服务帐户"部分，并查看您是否已完成这些步骤.

I have been trying to get the Service Account authentication working for the Google Admin SDK for a few days now to no avail. I am using the google-api-python-client-1.2 library freshly installed from Google.

I have been following Google's documentation on the topic. Links are here:

htps://developers.google.com/accounts/docs/OAuth2ServiceAccount

htps://developers.google.com/api-client-library/python/guide/aaa_oauth

htp://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.client.SignedJwtAssertionCredentials-class.html

And have the tasks.py Service Account example working which you can be found here:

htp://code.google.com/p/google-api-python-client/source/browse/samples/service_account/tasks.py?r=c21573904a2df1334d13b4380f63463c94c8d0e8

And have been closely studying these two Stack Overflow threads on a related topic here:

google admin sdk directory api 403 python

Google Admin API using Oauth2 for a Service Account (Education Edition) - 403 Error

And have studied the relevant code in gam.py (Dito GAM).

Yet I'm still missing something as I am getting an 'oauth2client.client.AccessTokenRefreshError: access_denied' exception in nearly every test case I write.

Here is a concise example of a test authentication:

import httplib2
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

f = file('myKey.p12', 'rb')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(
    '[email protected]',
    key,
    sub='[email protected]',
    scope = ['https://www.googleapis.com/auth/admin.directory.user',])

http = httplib2.Http()
http = credentials.authorize(http)
service = build('admin', 'directory_v1', http=http)

When I run the above code I get this stack dump and exception:

Traceback (most recent call last):
  File "./test.py", line 17, in <module>
    service = build('admin', 'directory_v1', http=http)
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/apiclient/discovery.py", line 192, in build resp, content = http.request(requested_url)
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 475, in new_request
    self._refresh(request_orig)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 653, in _refresh
    self._do_refresh_request(http_request)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 710, in _do_refresh_request
    raise AccessTokenRefreshError(error_msg)
oauth2client.client.AccessTokenRefreshError: access_denied

I've tried multiple super user accounts, service accounts, and keys and always end up with the same exception. If I add sub to the tasks.py example I end up with the same error. Replacing sub with prn also generates this exception and adding private_key_password='notasecret' does nothing (it is the default). The Admin SDK is activated in the Google Developers Console and the target accounts have super user privileges. This makes me think something is missing on the Google domain side but I cannot think of anything else to check.

Any one have an idea what I am doing wrong?

Have you granted the third party client access in your Admin Console for your service account?

My to go instruction when it comes to setting up Service Account is the instruction Google has for Drive Api.

https://developers.google.com/drive/web/delegation

Take a look at the "Delegate domain-wide authority to your service account" part and see if you have completed those steps.

这篇关于将Oauth2用于服务帐户的Google Python Admin SDK(教育版)-"oauth2client.client.AccessTokenRefreshError:access_denied"例外的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！