Unlike some of the other Google APIs (Google Drive, Google Directory), in order to receive push notifications/webhooks about resource changes within Google Classroom, you need to create a Google Cloud project, and within that project a Cloud Pub/Sub topic, and then subscriptions for the topic. This is all described in the "Push notifications in the Classroom API" section of their documentation.
I've done all of that, and I've given the Google Classroom service account permission to publish to my topic, again per the docs. The project (and it's Pub/Sub topic) are nested under the main organization for the company I work for (to which I have superadmin permissions). I've created a service account for my Google Cloud project, and in the Google Admin Console, I've given the classroom scopes (including the "push-notifications" scope) to the service account, per the "Using OAuth 2.0 for Server to Server Applications" section of the docs. I'm working in Python 3.8, and we are using the google-api-python-client, version 1.7.3. I have no problems making calls to fetch resources from the API (i.e. fetching courses, coursework, etc) this way. But when I make a request to create the push notification registration, I receive the following error:
<HttpError 403 when requesting https://classroom.googleapis.com/v1/registrations?alt=json returned "@MissingGrant Using this feature requires the appropriate scopes to be granted to your application using OAuth. In particular, domain-wide delegation is not supported.">
On the settings for the service account in the Cloud Console, under "Advanced Settings" there is a warning about what Domain-wide Delegation entails, and then a link to that section of the Admin Console to give a service account the domain-wide scopes it needs. There is NOT an option to enable/disable domain-wide delegation, and I read in a previous SO post that this feature is now simply enabled for service accounts once you assign them scopes in the Admin Console, whereas previously you had to go to the service account settings to enable it first. From the "Domain-Wide Delegation" section of the Google Admin Console, I've given our service account the following scopes:
https://www.googleapis.com/auth/classroom.courses.readonly
https://www.googleapis.com/auth/classroom.rosters.readonly
https://www.googleapis.com/auth/classroom.student-submissions.students.readonly
https://www.googleapis.com/auth/classroom.push-notifications
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/pubsub
Here are the parameters I am sending on the request (with some private information removed). I did not include a registrationId, because the docs state that it will be set by Google (unless refreshing an existing registration, which I am not), and any value I provide will be overwritten. The timestamp format matches what the docs ask for, and the structure of all the other items in the params again matches what the docs ask for (unless I made an error?).
params: {
'body': {
'registrationId': None,
'feed': {
'feedType': 'DOMAIN_ROSTER_CHANGES',
'courseWorkChangesInfo': {
'courseId': <courseId string for a Google Classroom I created>
}
},
'cloudPubsubTopic': {
'topicName': <topic name string copy/pasted from the topic in my Google Cloud Console>
},
'expiryTime': '2023-10-10T19:04:56.725983+00:00'
}
}
In the "Using OAuth 2.0 for Server to Server Applications" docs, there is a section towards the end detailing common error messages and what they mean/how to resolve them. This "missing grant" error is not listed there. I haven't been able to find any SO posts, Github issues, or Google Classroom documentation which address this specific error. Has anyone encountered this before? How did you resolve it? Alternatively is anyone aware of a resource for this error? I reached out to Google's developer support, but I suspect it may be a while before I get a response.
NOTE: I removed the links to relevant docs from my post as SO kept marking my post as spam. Apologies, but the names in quotes are the exact names of the documentation to which I'm referring.