1

I am trying to fetch and update the Users of my domain using Google Admin API.

  private static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
  private static final List<String> SCOPES = Arrays.asList(
      "https://www.googleapis.com/auth/admin.directory.user",
      "https://www.googleapis.com/auth/admin.directory.user.readonly");

  public static void main(String[] args) {
    try {
      HttpTransport httpTransport = new NetHttpTransport();


      GoogleCredential credential =
          new GoogleCredential.Builder()
              .setTransport(httpTransport)
              .setJsonFactory(JSON_FACTORY)
              .setServiceAccountId(
                  "[email protected]")
              .setServiceAccountUser("[email protected]")
              .setServiceAccountScopes(SCOPES)
              .setServiceAccountPrivateKeyFromP12File(
                  new File("C:\\privatekey.p12")).build();

      Directory admin =
          new Directory.Builder(httpTransport, JSON_FACTORY, credential)
              .setApplicationName("User Sync Service")
              .setHttpRequestInitializer(credential).build();

      Directory.Users.List list = admin.users().list();
      Users users = list.execute();
      System.out.println("************");
    } catch (Exception e) {
      e.printStackTrace();
    }
  }

From my Google Console

enter image description here enter image description here

  1. API Access is enabled from my Security panel
  2. ServiceAccountUser is Super Admin.

But I am still getting this error

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
  "error" : "access_denied"
}
    at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
    at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
    at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
    at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:269)
    at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
    at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:858)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)

Update: Screenshot from ManageOath

enter image description here

Improve this question
4
  • Were you able to get a solution for this? I am kind of in the same situation Commented Oct 1, 2013 at 14:42
  • @user1076371, yes. I can help you with this since Google Doc is quite misleading Commented Oct 3, 2013 at 5:24
  • can you post how you fixed the problem? Thanks! Commented Oct 7, 2013 at 3:33
  • It's bit hard to say. But Can you post screenshot from Oauth Token Screen? Commented Oct 7, 2013 at 11:59

3 Answers 3

Reset to default
3

It looks like the documentation is somewhat ambiguous about customer and domain. One or the other must be specified. You can set the customer attribute when using the list() function. It should be set to the customer's ID (a unique, random looking string) or, if you're authenticating as an admin already in the Google Apps instance, you can just specify exactly customer=my_customer. Alternatively, you can specify domain=example.com where example.com is a primary or secondary domain in the Google Apps instance. When specifiying a domain, only users who have a primary (home) address in that domain will be returned in the results. When specifying customer, all users in the Google Apps instance will be returned.

You can confirm this using the Google API Explorer. Leaving customer blank always results in an error. However, putting my_customer for customer attribute should fix it.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Still I am getting same error. Tried with setDomain and setCustomer.
Google API Explorer is also throwing error even if i fill Customer and domain or individually both details
@JayLee u there i need one help on this issue
1

You need to specify either the domain or the customer parameter:

Directory.Users.List list = admin.users().list()
   .setDomain("<target_domain>");

// or

Directory.Users.List list = admin.users().list()
   .setCustomer("<target_customer_id>");

I filed a bug to update the docs to make it clear that at least one of those two parameters is required.

Improve this answer

1 Comment

Still I am getting same error. Tried with setDomain and setCustomer.
0

Proceed to https://admin.google.com/yourdomain/ManageOauthClients and check that those scopes are added for your xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com service account id.

Improve this answer

5 Comments

It's already there. and I updated the original post with screenshot too
What happens if you just drop setApplicationName("User Sync Service") and setHttpRequestInitializer(credential)?
Sorry, your code looks good to me. Other than it, it could be the privatekey file...
I deleted exisiting service account and created new one. Still same error
I tried this developers.google.com/admin-sdk/directory/v1/reference/users/… by giving my email address, it eventually pulled the user without a issue

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.