Google-api-nodejs-client: service account impersonating admin user gets unauthorized_client
I'm attempting to use the Admin SDK via a service account in the context of a firebase cloud function. Per these docs I am impersonating an admin user, and have enabled directory-wide delegation (proof). The proper scope (admin.directory.user) has been granted to the API by the admin user.
const google = require('googleapis');
const KEY = require('./mykey.json');
function connect() {
return new Promise((yep, nope) => {
const jwtClient = new google.auth.JWT(
KEY.client_email,
null,
KEY.private_key,
['https://www.googleapis.com/auth/admin.directory.user'],
'[email protected]'
);
jwtClient.authorize((err) => {
if(err) {
nope(err);
} else {
yep(jwtClient);
}
});
});
}
function listUsers(client) {
return new Promise((yep, nope) => {
google.admin('directory_v1').users.list({
auth: client,
domain: 'mydomain.com',
}, (err, response) => {
if (err) {
return nope(err);
}
return yep(response);
});
});
}
function getAllUsers() {
return connect().then((client) => (listUsers(client)));
}
calling getAllUsers() fails at the authorization step with unauthorized_client: Client is unauthorized to retrieve access tokens using this method. This seems to contradict everything I've read about DwD and service accounts. Are you able to shed some light on how this should work?
puglyfe
All 8 comments
same problem, don't mind if u knw how to fix this let me know
gowrisankarvoltuswave
on 2 Mar 2018
I get the same error when following the docs for impersonating a user using the python api client.
formido
on 17 Mar 2018
@jonparrott have you dealt with anything in the Admin SDK? Anyone we could pull in here?
JustinBeckwith
on 20 Apr 2018
I have. Usually this indicates that the service account isn't authorized to do domain-wide delegation, so I would double-check that the proper client ID has been added to the gSuite domain admin console.
As an aside, @JustinBeckwith, the Python auth library uses service_account.Credentials to do OAuth 2.0 access token-based auth, including domain-wide delegation. JWT is an implementation detail here. There is a separate set of credentials, jwt.Credentials, that is used for JWT-as-a-bearer token. Is google.auth.JWT the right credentials class here?
theacodes
on 20 Apr 2018
I also tried this way (creating a specific project, service account and deleagtion-of-autority.. .. but now I am using the default Firebase project service account App Engine ( set as Token Editor)
here is my code:
` const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp();
const { google } = require('googleapis');
const path = require('path');
function googleDriveFilesList () {
// Create a new JWT/OAuth2 client using the key file downloaded from the Google Developer Console
return google.auth.getClient({
keyFile: path.join(__dirname, 'service-key.json'),
scopes: 'https://www.googleapis.com/auth/drive.readonly'
}).then(client => {
// Obtain a new drive client, making sure you pass along the auth client
const drive = google.drive({
version: 'v3',
auth: client
});
// Make an authorized request to list Drive files.
return drive.files.list();
}).then(res => res.data);
}
exports.getGDriveFiles = functions.https.onRequest((req, res) => {
googleDriveFilesList().then((res) => {
return { status: 200, infos: res };
}, error => {
return {status: error.status, infos: error.message};
}).then(response => {
return res.send(response);
}).catch(console.error);
});`
ghost
on 23 May 2018
ghost, how can that work without telling the drive service which google account to run under the context of? When authorizing with a service account file from GCP, the service would have no idea which user (i.e. [email protected], or something) to make the API calls for. And yet, I cannot find a single working example on this internet doing this in Node.js.
mryerse
on 27 Mar 2019
I got a service account working with the gmail api
I followed this tutorial for the google console and google admin portion: https://medium.com/lyfepedia/sending-emails-with-gmail-api-and-python-49474e32c81f
And here's my working code that let's me send emails on behalf of any email in my google apps domain without refreshTokens or OAuth2
var fs = require("fs-extra");
const { google } = require('googleapis');
//this is the json credentials you get from google service setip
var config = fs.readJsonSync("/Users/jed/config.json");
var sendFrom = "[email protected]";
var authClient = new google.auth.JWT(
config.client_email,
null,
config.private_key,
['https://www.googleapis.com/auth/gmail.send'],
sendFrom
);
const gmail = google.gmail({
version: 'v1',
auth: authClient,
});
const messageParts = [
'From: ' + sendFrom,
'To: [email protected]',
'Content-Type: text/html; charset=utf-8',
'MIME-Version: 1.0',
`Subject: Poop`,
'',
'This is a message just to say hello.',
'So... <b>Hello!</b>',
];
const message = messageParts.join('\n');
// The body needs to be base64url encoded.
const encodedMessage = Buffer.from(message)
.toString('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=+$/, '');
gmail.users.messages.send({
userId: sendFrom,
requestBody: {
raw: encodedMessage,
},
}, function (err, res) {
if (err) {
console.log(err);
} else {
console.log(res);
}
});
jlippold
on 11 Aug 2019
Greetings folks! Doing a little spring cleaning. It looks like someone has posted a solution to this one, so I'm going to go ahead and close it out. If you're still running into issues, please do let us know!
JustinBeckwith
on 8 Jun 2020
Related issues
ACMerriman
路
3Comments
JustinBeckwith
路
3Comments
rainabba
路
4Comments
eduDorus
路
3Comments
joseparoli
路
3Comments