google-api-nodejs-client icon indicating copy to clipboard operation
google-api-nodejs-client copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Admin API: groups.list() with a userKey returns 400

Open astanciu opened this issue 4 years ago • 9 comments

Environment details

  • OS: OSX 11.1
  • Node.js version: 15.5.0
  • npm version: 7
  • googleapis version: 67.0.0

Steps to reproduce

Getting a list of all groups using the await directory.groups.list({customer: 'my_customer'}) api works fine.

Trying to get a list of all groups of a specific user, by passing in a userKey, returns 400 bad requeste: await directory.groups.list({customer: 'my_customer', userKey: '[email protected]'})

As a sidenote, using domain instead works fine: await directory.groups.list({domain: 'domain.com', userKey: '[email protected]'})

There is mention of this same issue in the comments of the solution here: https://stackoverflow.com/questions/28015178/pulling-a-users-group-membership-list-in-google-apps

astanciu avatar Feb 12 '21 19:02 astanciu

@astanciu, I don't have an account on which to reproduce the issue, but I just wanted to send these recommendations along to see if they would help:

Verify the following parameters:
customer - Only pass the customerId that was generated by Google into this parameter.. Do not pass the actual customer domain into this parameter.
domain - Only pass the actual customer domain into this parameter. Do not pass the customerId that was generated by Google into this parameter.
Resellers are encouraged to use the customer parameter when calling this method because if a customer has secondary domains, calling users.list with the domain parameter will only return users with email addresses on that particular domain.

Please confirm that you've followed these guidelines; if it still doesn't work, I'll create an account to reproduce the issue.

sofisl avatar Feb 17 '21 21:02 sofisl

@sofisl I ran a few combinations of parameters, below are the results. TL:DR - adding userKey results in a 400:

// ---- without userKey ------
const { data } = await api.groups.list({
  customer: 'C02******',
  domain: 'mydomain.com'
});  // 200 

const { data } = await api.groups.list({
  customer: 'my_customer',
  domain: 'mydomain.com'
});  //200

const { data } = await api.groups.list({
  customer: 'my_customer'
});  // 200


// ---- with useKey  ----
const { data } = await api.groups.list({
  customer: 'C02******',
  domain: 'mydomain.com',
  userKey: '[email protected]'
});  //400

const { data } = await api.groups.list({
  customer: 'my_customer',
  domain: 'mydomain.com',
  userKey: '[email protected]'
}); //400

const { data } = await api.groups.list({
  customer: 'my_customer',
  userKey: '[email protected]'
});  // 400

astanciu avatar Feb 17 '21 21:02 astanciu

Greetings! It sounds like this may be problem with the underlying API itself. Could I trouble you to give this a try using the API explorer? https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list

If it reproduces there - then it's not an issue specifically with this library, and we'd need get in front of the team that builds the API itself: https://developers.google.com/admin-sdk/directory/support

JustinBeckwith avatar Mar 26 '21 05:03 JustinBeckwith

I was not able to reproduce by hitting the API through Google's API Explorer. It works fine there.

astanciu avatar Mar 26 '21 12:03 astanciu

That's very surprising. In the API explorer, you're using 3-legged OAuth and identifying as yourself. Is that how you're authenticating in your code?

JustinBeckwith avatar Mar 27 '21 02:03 JustinBeckwith

In API Explorer, I tried it with both:

  • OAuth: worked fine, was able to specifi userKey and did not get 400 error
  • access_token specified in query string. Also worked.

In my code, I'm using a service account. But I used this repo's SDK to .getAccessToken() to use in API explorer as mentioned above.

astanciu avatar Mar 29 '21 13:03 astanciu

I was having the same issue. By removing "customer" from request I solved that. I was having bad request even when passing customer on Google API Explorer.

EhtashamBukhari avatar May 21 '21 07:05 EhtashamBukhari

@astanciu when you remove customer from the request, does it work as expected?

bcoe avatar Jun 22 '21 16:06 bcoe

@bcoe I assume you mean using domain instead of customer and yes, this does work.

astanciu avatar Jun 22 '21 17:06 astanciu

HI @astanciu, after doing some digging, I've been able to reproduce your issue, except that, along with @EhtashamBukhari, I've confirmed the behavior is the same between the API explorer and the library, and that using domain+userKey instead works. Since the issue is reproducible at the API-level as well, this means that there is either a bug and/or documentation issue at the API level. I'll open the bug here for you to track along.

sofisl avatar Jan 18 '23 23:01 sofisl

Years later...

There'a bug in the underlying API (not sure if/how we can get access to the API bug linked above?), which returns a Bad Request error if you provide only a customer and userKey. If you provide a domain and userKey it works fine (but only returns groups in the given domain), and if you provide a customer without domain and without userKey it works fine as well (but returns all groups).

A workaround to get all groups of a user, whatever the domain, is to use a query with memberKey instead of the userKey parameter.

So:

  • Set the customer parameter with the ID of the customer
  • Do not set domain
  • Do not set userKey
  • Set query to 'memberKey='+the id or email of the user (what you would have set userKey to).

This seems to work fine.

The underlying API (or its documentation) should still be fixed.

jcaron23 avatar Oct 04 '23 11:10 jcaron23