Can not get authenticated By Directory API

[東久世高義]

[What we asked]

   How can we get authenticated　By  Directory API

[What is now confused ]

  When we use the Directory API from GoogleApps to get account informations , 

  only the company A can　not  get the informations,others will be ok.

[What we found]

  When excute this page ,we get error 403

  →https://developers.google.com/apis-explorer/#p/admin/directory_v1/directory.groups.list?customer=my_customer&domain=[CompanyA's domail]&_h=1& 

  →result is :

     

403 Forbidden

- Show headers -

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Not Authorized to access this resource/api"
   }
  ],
  "code": 403,
  "message": "Not Authorized to access this resource/api"
 }

}    

[The Condition to get authenticated ]

   1.The excute account is the administratror of Gmail Domain

   2. GoogleApps Access is checked on  at GoogleApps console

   which Company A 's account is also the same setting

[Patrice (Cloud Platform Support)]

Hi!

I'm not 100% sure I get your issue.

You are from Company B and you're trying to get information from Company A? You'll need to authenticate using Oauth2.

Cheers!

[東久世高義]

Thanks for the advice.

We made a application with GAE.

So we can let  user use the app from  Company A ,B,C,...to Z under their own domain .

And, to use the app,user must have a Gmail account which hosting to Google.

We do  use  Oauth2 to do the authentication .

And the situiton is only the Company A can not access the app.

Which ,the Company's administrator can not  get authenticated　by  Directory API.

2015年7月22日水曜日 2時01分39秒 UTC+9 Patrice (Cloud Platform Support):

[Patrice (Cloud Platform Support)]

Hmm, without knowing the domain or scope or seeing your authenticating code, this is not super easy to help you with this.

I'd suggest trying to figure out what is different for this user's domain and changing that so it matches all your other customers.

Another solution would be to try and post your question on StackOverflow. We do monitor that site and answer questions there, so you will get either us or someone else from the community to help you out. But you'll need to add some details, right now this is not really answerable, as we're lacking details.

Cheers!

[東久世高義]

Thanks for the advice.

at first,we found that user cannot get administrator authenticated thorw the code below,

which other companies will get throw successfully.

*****************************************************************************

   String sessionedDomain = loginPso.getDomain();

   LOGGER.info("change domain: " + sessionedDomain);

   NamespaceManager.set(sessionedDomain);

   if (service.isUserAdmin()) {

loginPso.setRole(Role.SYSTEM_ADMIN);

// license will not be check if it is the administrator

// administrator's profile will be synchronized

User systemAdmin = userLogic.selectContractor(email);

if (systemAdmin == null) {

return null;

}

*****************************************************************************

service.isUserAdmin is false in spite of the user is  administrator.

the method "isUserAdmin"  is ↓

*****************************************************************************

boolean com.google.appengine.api.users.UserService.isUserAdmin()

isUserAdmin

boolean isUserAdmin()

Returns true if the user making this request is an admin for this application, false otherwise.

Throws: 

java.lang.IllegalStateException - If the current user is not logged in.

*****************************************************************************

then we check the page below ,found it can not be authenticated because of error 403

https://developers.google.com/admin-sdk/directory/v1/reference/groups/list?hl=ja

so we think may be this user can not get authenticated by Directory API.

Cheers.

2015年7月23日木曜日 0時28分13秒 UTC+9 Patrice (Cloud Platform Support):

[Patrice (Cloud Platform Support)]

Hi!

I checked and the only way to get that 403 is if they are not really the admin of the domain that is linked in the request.

This could come from either two things :

1- they really are not the admin of the domain

2- the domain might have a typo in it but still be a valid domain, where your customer doesn't have the admin rights.

I don't see what else could be causing the issue.

Cheers!

[東久世高義]

Thanks for your answer ,which,strengthened our confidence in the results of the judgment.

But we still do not understand why the user do not have the admin rights,

which they have claimed that they have Privileges admin rights in the GoogleApps of their domain.
And they even show the hard copy of  their settings about this right.

(please look at the attached jpg )

So how can we confirm if the user exactly do has the  admin rights?

 

2015年7月24日金曜日 3時23分37秒 UTC+9 Patrice (Cloud Platform Support):

[Patrice (Cloud Platform Support)]

Hi again

Unfortunately at this point I'd say the system knows if they are or are not an admin on their domain, and looking at the error, it seems like they are not.

If you're convinced that they indeed are the admins, and that the domain is not mistyped, then I would suggest for your customer to contact Google Apps support and see why they are not seen as administrators on their domains.

Cheers!

[東久世高義]

Appreciate for your answer.

2015年7月25日土曜日 3時53分53秒 UTC+9 Patrice (Cloud Platform Support):