I’m using n8n Cloud v1.95.3 and trying to get Google Drive access by impersonating a user with a Service Account configured for Domain-Wide Delegation.
In n8n, the Google Drive node consistently fails with an “unauthorized_client” error, and an HTTP Request node using the same Service Account credential gives a “403 Forbidden - unregistered callers” error, despite careful credential setup including private key formatting and even using a brand new GCP project/SA/key/DWD setup. I’ve successfully tested this exact DWD setup (same Service Account impersonation, https://www.googleapis.com/auth/drive scope) externally using gcloud and curl to obtain an access token, proving the Google-side configuration is correct. trying to understand why n8n is failing to authenticate when the Google DWD setup is confirmed functional externally? Any insights on n8n’s handling of SA DWD would be appreciated.
Remember to also fill out the standard fields in the n8n forum template:
im relatively new to N8N, but do you know if the N8N team monitors the boards? would be helpful to get their perspective on this…im currently blocked on a project while i work through this
Likewise, Bryan - I’m new, and I am unsure if the boards are monitored. Thanks for submitting the bug report. I see in a very new comment in GitHub that they are tracking the issue internally. Hopefully, we’ll have an update soon.
For impersonate user you can provide {{ $json.primaryEmail }} it will allow you to save and it will pick up the email while in workflow.
I wasn’t able to get it to save if I tried to reference some specific node
I had the same issue — I was using a service account with DWD to access the gmail API and the built-in Gmail node in n8n also returned an unauthorized_client error. I ended up having to use a HTTP req node, with a manually generated access token, which worked fine, so the problem doesn’t seem to be with the DWD setup. Would be nice to have some clarification on whats not working. Seems also that the github issue was closed for some reason?
Hi, Google seems to think that you not only have to put the data in the request itself but you also need to add it to the http request header for it to be accepted
Thanks for your reply and i will give that a shot. If possible could you share some sort of template for how you solved? Maybe download json for the workflow (minus the credentials obviously )
Would love to give this a try
Did some further testing and found that I didn’t actually need to manually create the token (idk why it wasnt working before). Here is what I did to get around using the built-in google n8n node;
Select predefined authentication type → select google service account api → create credential, and fill in with impersonate user, and make sure to select set up for use in http node
Just tried this out on a new workflow/account and it worked - seems like the built in node just doesn’t send the scope even when you have added it in credentials
thank you for sharing this…this worked for me, and ive replaced the Google Drive node with HTTP request, and am now successfully able to execute queries with the N8N mode, with my service account. thank you @Loznero for sharing this.
I was having the same problem. n8n’s built in Google Service Account node kept giving me error unauthorized_clientClient is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
I can’t even find the native Google Service Account node anymore.
Built a workflow to create email drafts for another employee. Didn’t want to go through the trouble of getting their OAuth as I may need to create similar workflows for other employees. This solved my problem! Thank you!