0

I'm trying to access the Google Directory using a Service Account. I've fiddled with the DriveService example to get this code:

public static void Main(string[] args)
{
    var service = BuildDirectoryService();

    var results = service.Orgunits.List(customerID).Execute();
    Console.WriteLine("OrgUnits");
    foreach (var orgUnit in results.OrganizationUnits)
    {
        Console.WriteLine(orgUnit.Name);
    }

    Console.ReadKey();
}

static DirectoryService BuildDirectoryService() 
{
    X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret",
        X509KeyStorageFlags.Exportable);

    var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate)
    {
        ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
        Scope = DirectoryService.Scopes.AdminDirectoryOrgunit.GetStringValue()
    };

    var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);

    return new DirectoryService(new BaseClientService.Initializer()
    {
        Authenticator = auth,
        ApplicationName = "TestProject1",
    });
}

When I run it, I get 

ArgumentException: Precondition failed.: !string.IsNullOrEmpty(authorization.RefreshToken)

I'm going round in circles in the Google documentation. The only stuff I can find about RefreshTokens seems to be for when an individual is authorizing the app and the app may need to work offline. Can anyone help out or point me in the direction of the documentation that will, please.

4

2 回答 2

0

服务帐户授权实际上不返回刷新令牌 - 所以这个错误是有道理的。你知道这是从哪里来的吗?

我对 .NET 客户端库不太熟悉,但拥有完整的错误跟踪会有所帮助。

作为一个远景 - 该错误可能是一个严重的错误 -

  • 您能否确认您已在 API 控制台中为此项目启用了 Admin SDK
  • 您能否确认您已将您正在测试的域中的服务帐户的客户端 ID 列入白名单(以及 Admin SDK 范围)
于 2013-10-11T19:02:40.383 回答
0

如果您将提供程序块替换为:

var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate)
{
    ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
    Scope = DirectoryService.Scopes.AdminDirectoryOrgunit.GetStringValue(),
    ServiceAccountUser = SERVICE_ACCOUNT_USER //"my.admin.account@my.domain.com"
};

我在另一篇文章中看到了这一点,并使用我的标准用户帐户进行了尝试,但没有成功。然后我读到一些建议一切都必须使用管理员帐户完成的内容。因此,我使用我的管理员帐户创建了一个全新的项目,包括创建一个新的服务帐户并对其进行授权。当我尝试它时,它起作用了。因此,然后我将旧的服务帐户详细信息放回原处,但保留了管理员帐户。这也有效。

于 2013-10-12T05:27:59.077 回答