0
  1. I'm trying to get a list of users in a google test domain.
  2. Using Powershell and PSGSuite. I'm trying to work through the process.

I've created a project added the Admin API enabled the following scopes in the OAuth2 consent form that are in the code, and when called it does pop a web page asking for the account and for agreement of a wide set of permissions (but doesn't ask again once done, unless a scope is changed):

Import-Module -Name PSGSuite 
-- Removed config line

$Scopes = "https://www.googleapis.com/auth/cloud-platform,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/admin.directory.user.readonly
    https://apps-apis.google.com/a/feeds/emailsettings/2.0/,
    https://mail.google.com/,
    https://www.google.com/m8/feeds/contacts,
    https://www.googleapis.com/auth/admin.directory.group,
    https://www.googleapis.com/auth/admin.directory.resource.calendar,
    https://www.googleapis.com/auth/admin.directory.rolemanagement,
    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.user.security,
    https://www.googleapis.com/auth/admin.directory.userschema,
    https://www.googleapis.com/auth/admin.reports.audit.readonly,
    https://www.googleapis.com/auth/admin.reports.usage.readonly,
    https://www.googleapis.com/auth/apps.groups.settings,
    https://www.googleapis.com/auth/gmail.settings.basic,
    https://www.googleapis.com/auth/gmail.settings.sharing,
    https://www.googleapis.com/auth/plus.login,
    https://www.googleapis.com/auth/plus.me,
    https://www.googleapis.com/auth/tasks,
    https://www.googleapis.com/auth/tasks.readonly,
    https://www.googleapis.com/auth/userinfo.email,
    https://www.googleapis.com/auth/userinfo.profile"

$Token = Get-GSToken -Scopes $Scopes -AdminEmail "Removed"
Write-Host "$($Token)"
Get-GSUser -Filter *

the permissions are probably more than I need, but I get a return token: that when I post to here 

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=

returns:

{
  "issued_to": "Removed both were same and correct for app",
  "audience": "Removed both were same and correct for app",
  "scope": "https://mail.google.com https://www.google.com/m8/feeds https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/tasks https://www.googleapis.com/auth/tasks.readonly",
  "expires_in": 3549,
  "access_type": "offline"
}

showing my scope of permissions desired is not what I got.

the final command returns an error: Get-GSUser : Exception calling "Execute" with "0" argument(s): "Error:"unauthorized_client", Description:"Unauthorized", Uri:"""

Any thoughts on why the missing permissions? maybe I missed a button somewhere.

Improve this question
5
  • 1
    revoke the users access and request it again Commented Sep 15, 2024 at 14:41
  • something like this? developers.google.com/admin-sdk/directory/reference/rest/v1/… Commented Sep 15, 2024 at 14:54
  • 1
    more like this developers.google.com/identity/protocols/oauth2/… Commented Sep 15, 2024 at 16:13
  • same outcome. I've been able to completely reproduce, here are the general steps 1. Create Project 2. console.cloud.google.com/apis/dashboard?project=<yourproject> Enable Admin SDK API, set oauth consent screen including the the permissions (I named them the same) 3. Create Oauth 2.0 ClientID - I used same name, generated the json file, and d/l. I used this as the configuration for PSGSuite. 4. Google Admin -> Security -> Api Controls -> Domain-wide Delegation added app with client id from the credentials (not the app name but the client ID) and added the same permisions. Test Commented Sep 16, 2024 at 13:54
  • I'm getting a different error though, ``` Errors [ Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global] ] ``` which with permissions returned makes sense, but not why I don't get the permissions. Commented Sep 16, 2024 at 13:57
Related questions
9
Google OAuth2 API. Check user has two factor authentication (Not GSuite)
0
Scopes validation error on oauth1 3lo to oauth2 tokens migration
41
OAuth2.0 token strange behaviour (Invalid Credentials 401)
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.