DEVHIDE
Login Or Sign up

Problems authenticating Service Account for google reseller api using the nodejs library

1.1k Views Asked by At

I am trying to access the google reseller api using the nodejs library, which has very shi..., I mean spotty documentation. I tried following the example here, but I fail at step 3 with this error:

  code: 403,
  errors: [
    {
      domain: 'global',
      reason: 'insufficientPermissions',
      message: 'Authenticated user is not authorized to perform this action.'
    }
  ]

My configuration looks like this:

    const OAUTH2_SCOPES = [
      "https://www.googleapis.com/auth/admin.directory.user",
      "https://www.googleapis.com/auth/apps.order",
      "https://www.googleapis.com/auth/siteverification",
      "https://www.googleapis.com/auth/cloud-platform",
    ];

   const authJWT = new google.auth.JWT({
      keyFile: JSON_PRIVATE_KEY_FILE,
      scopes: OAUTH2_SCOPES,
      subject: RESELLER_ADMIN_USER,
      email: "gsuite-reseller@some-cool-name-because-why-not.iam.gserviceaccount.com",
    });

Using basic google fu, I found this thread, which suggested that my problem has to do with impersonation. So I exchanged the email in the subject property, with my account email, which has the owner rights specified. I also gave the service account owner rights, because at that point I am pretty clueless. This unfortunately only changed the error message to:

status: 401,
statusText: 'Unauthorized'

Does anybody have an idea what goes wrong? The 401 suggests that there are credentials missing. Would I have to also specify my private emails credentials in addition to the ones of the service account? If yes, then where? I did not find any property on the google.auth.JWT.options object which sounded promising.

javascript node.js google-admin-sdk google-reseller-api
Original Q&A
1

There are 1 best solutions below

6
On BEST ANSWER

Why do you need domain-wide delegation?

  • When you use a service account and enable domain-wide delegation, it means that you allow the service account to impesonate the user and act on his behalf
  • If you use a service account without impersonation - the service account can only perform operations to which it is autherized - e.g. it can access files on your Drive or access your Calendar - but only if you explicitly shared those with the service account!
  • To perform requests for which the service account is not authorized, you need to make the service account impersonate a domain user that has the necessary authorization - that is you need to impersonate the user
  • However to impersonate the user, you need to explicitly give the service account the permission to act on behalf of a user - this is called domain-wide delegation
  • Enabling domain-wide delegation will not make "every created user to have to go through manual authorization" or affect any other non-service account related behavior
  • the only thing domain-wide delegation does is to allow a service account to represent a user
  • Without enabling domain-wide delegation the impersonaiton of a user will not be authorized and setting a subject will throw you an error

References:

Related Questions in JAVASCRIPT

Related Questions in NODE.JS

Related Questions in GOOGLE-ADMIN-SDK

Related Questions in GOOGLE-RESELLER-API

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.