do6bg (do6bg) asked a question.
Hoping someone can help on this. Im trying to use the Gmail connector to run a custom API call to list the forwarding addresses of users in my workspace.
I have created a GCP project and added a service account, also adding the scopes in the admin portal of GWS.
however whenever I run the api call, I get the error:
"body": {
"error": {
"code": 403,
"message": "Delegation denied for {my service account}",
"errors": [
{
"message": "Delegation denied for {my service account}",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
The api call I am trying to run is,
/v1/users/usersemail%40domain.com/settings/forwardingAddresses
any help would be appreciated
Hi @do6bg (do6bg) , Thank you for reaching out to the Okta Community!
The following article might be of help to you:
https://support.okta.com/help/s/article/How-to-setup-the-Transfer-of-Ownership-Features-for-the-Workflows-Gmail-connector?language=en_US
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
@do6bg (do6bg) - Google "Delegation" features are exceptionally difficult to work with as it requires domain-wide delegation to be setup/configured and a very specific auth process to be performed (It isn't simple Oauth). Authenticating to Workspace, or even authenticating to GCP is not enough. Both of the systems have to be tied together through a convoluted/challenging process. I suspect if you attempt to utilize Googles Oauth Playground you will likely also run into problems with your use-case.
https://developers.google.com/oauthplayground/
The link Mihai provided is a basic guide that was constructed based off of Google
s Documentation. This is a pre-req to even attempting to use Google's domain-wide delegation feature with any API client. The only Workflows portion of it are the last three steps which is a make a flow with a card that supports the "Delegation" features and if you set it up correctly it can gain the required auth.
Since you are now aware how complex this process is. Support can provide you an As-Is proof of concept on a way you can get this Working leveraging Workflows. You will need to open a support ticket and request it so they can provide some caveats/explanation of usage as it is not simple.
Thanks both.
Tim, I will reach out to support to see if they can help. The weird thing is, I have managed to create the connection and other cards work fine, such as I can successfully set up delegation and email forwarding with the built in cards. Its just this specific custom API that gives me this error. This is the endpoint im trying to call
GET https://gmail.googleapis.com/gmail/v1/users/{userId}/settings/forwardingAddresses
I am also having this same issue. Have you found any resolution for it?
@EmilyC.42390 (Customer) - There isn't an issue on the Workflows side. Accounts & Permissions must be setup on the Google side correctly for them to authorize access to specific endpoints. The documentation link that was provided previously contains instructions on how to perform the basic minimum requirements of setup:
https://support.okta.com/help/s/article/How-to-setup-the-Transfer-of-Ownership-Features-for-the-Workflows-Gmail-connector?language=en_US
Any other Google based setup beyond this is outside the scope of Okta. You would need to work with Google if you want to fine tune your GCP / Google workspace permissions / settings.
Yahyaa did you ever figure out how to get domain-wide delegation APIs working?
I ended up submitting a ticket for this to Okta support. They said the CAPIA (custom API action card) doesn't work with the domain-wide delegation for listing forwarding addresses. It requires a JWT token to be hard-coded in the flow to use with the CAPIA. They provided me a sample flow I'll attach here for getting the JWT token from the Google API.
googleDomainWideDelegationApis (1)