0

Technology required : C#

Description : I am working to create workflow in application such that website will ask for Google Authentication with user consent screen, and once it is authorized by domain administrator, website will have access to all users under that domain and also access to drive and team drive data.

Attempted ways to authenticate :

  1. Created Service Account user, provided necessary rights for Google Scopes to that user from admin.google.com
  2. Created Super admin user, assigned it Role of Service Account Actor with Service Account created in #1.

Code used with ServiceAccountCredential object

ServiceAccountCredential credential = new ServiceAccountCredential(
                    new ServiceAccountCredential.Initializer("Service_Account_Email")
{
    Scopes = SCOPES,
    User = ADMIN_EMAIL,
}.FromPrivateKey("PRIVATE_KEY"));

With the use of ServiceAccountCredential object, I am able to list domain users, as well as drive details, as required. The only problem is that for that I need client to create service account and authentication steps mentioned in #1, and also ask for credentials ( Service account email, private key, admin email ), which I don't want to.

I have tried to authenticate with admin user (#2), which have Service Account Actor Role with user consent screen with below code.

GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
    ClientSecrets = new ClientSecrets
    {
        ClientId = Constants.GoogleClientId,
        ClientSecret = Constants.GoogleClientSecret
    },
    Scopes = Constants.GoogleScopes
    //,DataStore = new FileDataStore("Drive.Api.Auth.Store")
});

UserCredential credential = new UserCredential(flow, email, response);

var service1 = new DriveService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
    ApplicationName = "Drive API Service Account Sample",
});

With the above code "service1.Teamdrives.List().Execute();" always results Team drives available with the admin user I am authenticated with, though I am passing different email in UserCredential object.

I need help here, I need to be able to manipulate all user's drive data without any user intervention once authenticated by admin user ( Service Account Actor )

Any help would be much appreciated.

Thanks

4

1 回答 1

0

AFAIK,在将域范围的权限委派给所使用的服务帐户 UserCredential时,应该是域的成员。注意文档中的警告,

服务帐户只能用于执行委托,其中有效身份是域中单个用户的身份。此外,服务帐户可能不会获得额外的存储配额,也不会充当域的成员。

您可能需要尝试以下步骤来授予访问权限(需要具有服务和应用管理员角色的帐户):

  • 登录 Google 管理员并转到应用程序 -> G Suite -> 云端硬盘和文档 -> 共享设置子菜单,然后从共享选项中选择开启
  • 单击“管理团队云端硬盘”子菜单,然后单击您要授予访问权限的团队云端硬盘
  • 成员访问弹出窗口中单击添加成员
  • 输入服务帐户帐户 ID(电子邮件),选择访问级别(我选择完整),检查跳过发送通知并单击发送

有关其他见解,请参阅这些 SO 帖子和教程:

于 2017-06-17T10:46:30.767 回答