我正在编写一个应用程序 (C#/Windows),它从其他来源获取数据,并使用它来使我的域中特定用户的 Google 邮件列表和联系信息保持最新。我已经达到了能够读取所有 Google 电子邮件组的成员的程度,因此我已经掌握了基础知识,但现在我在尝试读取和更新信息时遇到了障碍用户定义的联系人。
我正在使用 OAuth2 并创建了一个服务帐户,并且在域范围委派中 屏幕上我已向我的服务帐户添加了“auth/contacts”权限(我想我的应用程序,尽管我现在找不到该客户端 ID 映射到的内容)。
credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.FromStream(stream).Secrets,
new[] { PeopleServiceService.Scope.DirectoryReadonly, PeopleServiceService.Scope.Contacts },
"[snip]@email-group-updater.iam.gserviceaccount.com", CancellationToken.None);
var initializer = new BaseClientService.Initializer()
{ HttpClientInitializer = credential, ApplicationName = "UpdateMailGroups" };
var people_service = new PeopleServiceService(initializer);
var pc = people_service.People.Connections.List("people/me");
var x = pc.Execute();
它抛出异常
GoogleApiException: The service people has thrown an exception. HttpStatusCode is Forbidden. Request had insufficient authentication scopes.
Error=Google.Apis.Requests.RequestError
Request had insufficient authentication scopes. [403]
Errors [
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]
ErrorResponseContent={
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Insufficient Permission",
"domain": "global",
"reason": "insufficientPermissions"
}
],
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"service": "people.googleapis.com",
"method": "google.people.v1.PeopleService.ListConnections"
}
}
]
}
}
但我一直找不到这样的文档:“如果你想要资源 X,你需要身份验证范围 Y”。
在这种情况下,我缺少什么身份验证?
您似乎没有使用服务帐户的代码。
var credential = GoogleCredential.FromFile(PathToServiceAccountKeyFile)
.CreateScoped(Scopes)
.CreateWithUser(userToImpersonate);
var service = new PeopleServiceService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "Daimto Testing Workspace with service account"
}
);
确保将 userToImpersonate 设置为您希望服务帐户模拟的用户。
您需要的范围是
https://www.googleapis.com/auth/contacts
应该是这样的(有点猜测实际名称)
private static readonly string[] Scopes = {PeopleServiceService.Scope.Contacts};