我是否需要使用G Suite帐户来模拟使用服务帐户的用户?

时间:2017-08-23 20:20:56

标签: java google-api google-drive-api google-oauth

我正在尝试向Drive API发送请求,使用服务帐户模拟用户,但我收到TokenResponseException: 401 Unauthorized例外。

我已按照https://developers.google.com/identity/protocols/OAuth2ServiceAccount中描述的内容:

然后,在我的代码中:

File p12 = new File("p12FileFromDevelopersConsole.p12");
HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

GoogleCredential c = new GoogleCredential.Builder()
    .setTransport(transport)
    .setJsonFactory(jsonFactory)
    .setServiceAccountId("MY_ID@MY-ID.iam.gserviceaccount.com")
    .setServiceAccountUser("test@gmail.com")
    .setServiceAccountScopes(Arrays.asList(DriveScopes.DRIVE, DriveScopes.DRIVE_APPDATA, DriveScopes.DRIVE_FILE, DriveScopes.DRIVE_METADATA_READONLY))
    .setServiceAccountPrivateKeyFromP12File(p12)
    .build();

List<com.google.api.services.drive.model.File> files = drive.files()
    .list()
    .setSpaces("drive")
    .setFields("nextPageToken, files(id, name, webViewLink)")
    .setPageSize(10)
    .execute() // < --- exception is thrown here
    .getFiles();

for(com.google.api.services.drive.model.File f : files) {
    System.out.println(f.getName());
}

堆栈跟踪是:

com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized
    at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
    at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
    at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
    at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:384)
    at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
    at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:868)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)

我注意到,如果我注释掉.setServiceAccountUser("test@gmail.com")行,我就可以执行代码并在System.out.println中打印“使用入门”。

我看过很多关于这个问题的帖子,但没有一个具体的解决方案。然后,我查看了上面引用的文档,它多次说G Suite,然后我意识到这些请求可能只适用于G Suite帐户。我对吗?如果没有,我该如何使其发挥作用?

1 个答案:

答案 0 :(得分:1)

是的,服务帐户的域范围委派仅适用于GSuite用户,因为GSuite管理员必须授予服务帐户域范围的权限 - 请参阅此处的步骤4:https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority

考虑使用常规OAuth(https://developers.google.com/identity/protocols/OAuth2WebServer)从您的Gmail帐户授予对您的网络应用的访问权限。

相关问题
最新问题