无法使用 Google Admin SDK 创建用户 - 异常 401 Unauthorized

Question

我正在尝试在我的 C# 应用程序中填充用户。但是，我不断收到此异常：

{"Error occurred while sending a direct message or getting the response."}
[DotNetOpenAuth.Messaging.ProtocolException]: {"Error occurred while sending a direct message or getting the response."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: {"The remote server returned an error: (401) Unauthorized."}
Message: "Error occurred while sending a direct message or getting the response."
Source: "Google.Apis"
StackTrace: "   at Google.Apis.Requests.ClientServiceRequest`1.Execute() in c:\\code.google.com\\google-api-dotnet-client\\default\\Tools\\BuildRelease\\bin\\Release\\release140\\default\\Src\\GoogleApis\\Apis\\Requests\\ClientServiceRequest.cs:line 88\r\n   at GoogleAccountsPopulation.DirectoryServiceClient.CreateUser(User user) in E:\\GoogleAccountsPopulation\\GoogleAccountsPopulation\\GoogleAccountsPopulation\\DirectoryServiceClient.cs:line 70\r\n   at GoogleAccountsPopulation.frmGoogleAccountsPopulation.btnPopulateAccounts_Click(Object sender, EventArgs e) in E:\\GoogleAccountsPopulation\\GoogleAccountsPopulation\\GoogleAccountsPopulation\\PopulateForm.cs:line 449"
TargetSite: {TResponse Execute()}

正在引发异常就行了：

userServiceClient.CreateUser(user);

这是服务的代码：

DirectoryServiceSpecs userServiceSpecs = new DirectoryServiceSpecs()
{
    CertificateFilePath = Path.GetDirectoryName(Application.ExecutablePath) + "\\Certificates\\" + gappsSchool.CertificateFile,
    PrivateKey = gappsSchool.PrivateKey,
    ServiceAccountId = gappsSchool.ServiceAccountId,
    ServiceAccountUser = gappsSchool.ServiceAccountUser,
    Domain = gappsSchool.EmailDomain,
    ServiceScope = DirectoryService.Scopes.AdminDirectoryUser.GetStringValue()
};
DirectoryServiceClient userServiceClient = new DirectoryServiceClient(userServiceSpecs);

User user = new User();
user.Name = new UserName();
if (userNames.Length > 1)
{
    user.Name.FamilyName = lmsUser.Name.Replace(userNames[0], "").Trim();
    user.Name.GivenName = userNames[0];
}
else
{
    user.Name.FamilyName = "N.A.";
    user.Name.GivenName = userNames[0];
}
user.Name.FullName = lmsUser.Name;
user.Password = lmsUser.Password;
user.PrimaryEmail = lmsUser.EmailAccount + "@" + gappsSchool.EmailDomain;
if (Properties.Settings.Default.LMSPasswardHashAlgorithm.Trim() != string.Empty)
    user.HashFunction = "MD5";

user = userServiceClient.CreateUser(user);
trackEntries.Add(new TrackEntry()
{
    EmailAccount = lmsUser.EmailAccount,
    SchoolName = gappsSchool.Name,
    Status = "Success",
    Error = ""
});
log.Info("Successfully created user \"" + lmsUser.EmailAccount + "\" (" + lmsUser.Id.ToString() + ", " + gappsSchool.Name + ").");  
userServiceClient.CreateUser(user);

Answer 1

授权

在 Google Apps 域中，域管理员可以授予第三方应用程序在域范围内访问其用户数据的权限 - 这称为域范围内的授权。要以这种方式委派权限，域管理员可以使用具有 OAuth 2.0 的服务帐户。

这是scopes available in Directory API的列表。

要使用 OAuth 2.0 请求访问权限，您的应用程序需要范围信息，以及 Google 在您注册应用程序时提供的信息（例如客户端 ID 和客户端密码）。

尝试检查您的perform Google Apps Domain-Wide delegation of authority。您收到 Exception 401 Unauthorized 可能是因为您的服务帐户无权创建用户（使用了错误的范围或未添加要使用的范围），来自 Emily's answer - 您必须模拟 管理员帐户（注意：只有管理员才能创建用户）。