Service account/impersonate support for Google Classroom cmdlets

[Logan Arias]

OK, this is going to be somewhat long.

My school has two domains, lawrence.k12.ma.us, and students.lawrence.k12.ma.us

One is the staff one, the other is the student one

Both are white-listed for each other, and i have a domain admin account on each one

I am able to create provisioned course

I can also add and remove Teachers to any courses, as long as they are in the same domain.

Adding Student from another domain is where I'm having problems with.

I am unable to use the New-GClassroomStudent cmdlet to directly add a student into a course while using GAuthID to us my domain admin account in Lawrence nor studnets.lawrence. domain

( also tried by hand via https://developers.google.com/classroom/reference/rest/v1/courses.students/create , it just give me a 403 error about "The caller does not have permission")

the closest I've gotten to adding student is by adding myself as a teacher to the course, send student invite for student that is missing from the course, then remove myself as a teacher.

I am unable to accept the invite or look it up as my domain admin under the students domain admin account when using GAuthId

I am able to look up and accept the invite via https://developers.google.com/classroom/reference/rest/v1/invitations/accept while logged in as a test student account on my student domain, that the invite was sent to.

So overall I would like to be able to use the -UserId parameter just like in the Drive cmdlets to impersonate the teacher and student accounts, and accept Google Classsroom invites on their behalf.

[Spencer Varney]

Hey Logan,

Sorry for the delayed response. I'll try to take a look at this as soon as I can to see if I can figure something out - Classroom isn't something we utilize much at all, so I'll have to check it out a bit more in detail.

I'll let you know what I find out.

Regards,

Spencer

--
You received this message because you are subscribed to the Google Groups "gshell-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gshell-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Logan Arias]

Thank you.

[Spencer Varney]

Ok, so I'm getting the same issues. According to Google's information what you're trying to do should be working - I set up a similar situation and tried using enrollment codes, and am getting the exact same error. I was looking to see if there were any other people who have run in to and resolved this issue... and sure enough, I found one post on stack overflow. It was you. :)

I'll keep looking in to this to see what I can find out.

Anyone else have any ideas?

[Spencer Varney]

Sorry for the delay! From my testing, it appears that you can't just straight-up add new students if you're not the domain admin for the domain where the students are coming from AND the course, at the same time. I don't know how this would behave in subdomains (we don't have those) but my situation is just like yours, and I now have a workaround.

First, grab the new download, it should be for version 0.10.3. (I was a bit rushed today, so I really hope I didn't screw something up - let me know if I do please!). This allows service accounts to be used with Classroom - I guess that wasn't set up before.

Second, make sure you have the service account set up for your domains with the appropriate scopes (see section 3.E of the Service Account wiki). If you're only creating students, you can add one of the following (as per this documentation):

https://www.googleapis.com/auth/classroom.rosters

https://www.googleapis.com/auth/classroom.profile.emails

https://www.googleapis.com/auth/classroom.profile.photos

Alternately, if you want to give your service account full classroom scopes, as well as Drive, Gmail and Classroom here is a full list already comma separated for you:

https://www.googleapis.com/auth/classroom.courses,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.coursework.me,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.profile.photos,https://www.googleapis.com/auth/classroom.profile.emails,https://mail.google.com/,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/userinfo.email

Third, let's assume you have the Student's full email address in $StudentEmail, the student domain ("students.yourdomain.edu") in $StudentDomain and the course object in $Course. Let's also assume that your primary domain is your employee domain, so you have to use -GAuthId to specify the student domain. You can then add the student enrollment as follows:

New-GClassroomStudent -CourseId $Course.id -StudentBody (New-GClassroomStudentObj -UserId $StudentEmail) -TargetUserEmail $StudentEmail -GAuthId $StudentDomain -EnrollmentCode $Course.EnrollmentCode

Basically, you have to impersonate the student and join the course using the enrollment code. This bypasses the need for the admin to have control over both domains, and doesn't require you to be added as an instructor to do anything.

Try that out, let me know if that helps!

[Logan Arias]

Thank you again, I'm going to try this weekend on a Google Classroom that one of our staff is have issues with.

[Logan Arias]

Thank you, the modified Classroom cmdlets work.