1

我正在尝试制作一个 Gsuite/Workspace 商店应用程序,该应用程序允许组织更新其员工签名。我遇到了一些复杂情况 - 我觉得 Google API 文档并没有真正完成这项工作

目标

当组织的管理员对其 Google 帐户进行身份验证时,我们希望更新域的电子邮件签名之一。

尝试 1 - 使用管理员令牌

from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.oauth2.credentials import Credentials
from google.auth import impersonated_credentials

SCOPES_USER = [
    'https://www.googleapis.com/auth/gmail.settings.basic',
    'https://www.googleapis.com/auth/gmail.settings.sharing',
]

email = 'user_email@without_admin.access'

service = build(
    'admin', 'directory_v1', credentials=creds)

users = (
    service.users().
    list(customer='my_customer', maxResults=100).
    execute()['users'])
   
for user in users:
    if user['primaryEmail'] == email:
        user_id = user['id']
        email = user['primaryEmail']

service = build('gmail', 'v1', credentials=creds)

# Here it fails
service.users().settings().sendAs().\
    patch(userId=user_id,
          sendAsEmail=email,
          body=dict(signature='Awesome Signature')).execute()

错误如下:

googleapiclient.errors.HttpError:<HttpError 403 在请求 https://gmail.googleapis.com/gmail/v1/users//settings/sendAs/user_email@without_admin.access?alt=json时返回“admin@email 的委派被拒绝。 com”。详细信息:“[{'message': 'Delegation denied for admin@email.com', 'domain': 'global', 'reason': 'forbidden'}]">

尝试 2 - 使用模拟令牌

完全相同的代码,只需进行一次更改。我有一个完整的代码示例只是为了作为参考。

from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.oauth2.credentials import Credentials
from google.auth import impersonated_credentials

SCOPES_USER = [
    'https://www.googleapis.com/auth/gmail.settings.basic',
    'https://www.googleapis.com/auth/gmail.settings.sharing',
]

email = 'user_email@without_admin.access'

service = build(
    'admin', 'directory_v1', credentials=creds)

users = (
    service.users().
    list(customer='my_customer', maxResults=100).
    execute()['users'])
   
for user in users:
    if user['primaryEmail'] == email:
        user_id = user['id']
        email = user['primaryEmail']

# This is the only difference.
creds = impersonated_credentials.Credentials(
    source_credentials=creds,
    target_principal=email,
    target_scopes=SCOPES_USER,
    lifetime=500)
   
service = build('gmail', 'v1', credentials=creds)

# Here it fails
service.users().settings().sendAs().\
    patch(userId=user_id,
          sendAsEmail=email,
          body=dict(signature='Awesome Signature')).execute()

结果如下:

# Permission is hereby granted, free of charge, to any person obtaining a copy

google.auth.exceptions.RefreshError: ('无法获取模拟凭据:响应中没有访问令牌或无效过期。', '{\n "error": {\n "code": 403,\n "message": "请求的身份验证范围不足。",\n "status": "PERMISSION_DENIED"\n }\n}\n')

背景信息 - 如何授权密钥(可能不相关)

管理范围是使用收集的

SCOPES_ADMIN = [
    'https://www.googleapis.com/auth/gmail.readonly',
    'https://www.googleapis.com/auth/gmail.settings.basic',
    'https://www.googleapis.com/auth/gmail.settings.sharing',
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.customer',
    'https://www.googleapis.com/auth/admin.directory.group',
    'https://www.googleapis.com/auth/admin.directory.orgunit',
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.user.alias',
]
4

0 回答 0