Using Json for Google domain wide delegation was one of the challenging tasks for me. The reason being the Google’s official documentation, as it uses p12 file to access service account.
After digging into a couple of recent versions of GoogleCredentials API, I figured out a method that allows us to access G-suite using service accounts.
How To: Authorize using Json for Google Domain wide Delegation
Unlike the credential generation using p12 file, json credentials doesn’t require the service account email. That is because the json itself has much more information about the G Suite account.
In order to build GoogleCredentials using json, you would be required two things. One is itself the json, second is the email address of a user with admin privileges.
Before proceeding forward with the implementation, do make sure that you have authorized your Google project for the domain-wide access of your organization.
Lets see how we can do it in two simple steps!
Installing Dependencies
Google’s dependency version 1.26.0 had an update that started supporting delegating a user using a json file. First, we need to make sure that all our dependencies are on at least 1.26.0 version, and are compatible with eachother.
Lets add the following dependencies in our maven project.
<!-- G Suite Admin SDK // Begins here--> <dependency> <groupId>com.google.apis</groupId> <artifactId>google-api-services-admin-directory</artifactId> <version>directory_v1-rev118-1.25.0</version> </dependency> <!-- G Suite Admin SDK // Ends here --> <dependency> <groupId>com.google.api-client</groupId> <artifactId>google-api-client</artifactId> <version>1.26.0</version> </dependency> <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-jetty</artifactId> <version>1.26.0</version> </dependency> <dependency> <groupId>com.google.http-client</groupId> <artifactId>google-http-client-jackson</artifactId> <version>1.26.0</version> </dependency>
Building Credentials
Once the dependencies are added, all we need to do is use the GoogleCredential builder with fromStream method. In addition to that, we need to provide scopes and the delegated users email (preferably admin).
And ta-da! We’re done
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential; import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.jackson.JacksonFactory; import com.google.api.services.admin.directory.Directory; import com.google.api.services.admin.directory.DirectoryScopes; import java.io.FileInputStream; import java.io.IOException; import java.util.Collections; public class GSuiteWithJson { /** * Creates an authorized Credential object. * @param credentials The location of json credentials file generated * from developers console for service account. * @param userEmail The email address of the user (with admin privileges) * that needs to access the G-Suite account for the * organization. * @return An authorized Credential object. * @throws IOException If the credentials.json file cannot be found. */ public Directory getDirectoryService(String credentials, String userEmail) throws IOException { return new Directory .Builder(new NetHttpTransport(), new JacksonFactory(), GoogleCredential .fromStream(new FileInputStream(credentials)) .createScoped(Collections.singletonList(DirectoryScopes.ADMIN_DIRECTORY_USER)) .createDelegated(userEmail) .toBuilder().build()) .setApplicationName("G-Suite Json") .build(); } }
I have been trying for using Json for Google Domain wide Delegation and couldn’t find anything too helpful over the internet. So I just though about documenting this for you!
If this helped you out in any way, please like my Facebook page or follow my Twitter handle!
Feel free to drop any questions or feedback in the comments below!
David S. says
Thank you! I had been struggling with Google documentation myself, and your example really helped me. It’s also short, succinct, and clean!