I've been trying to use Google's CardDAV APIs (and I've successfully gotten CalDAV access working). Unfortunately, I keep getting a 403 error when trying to discover the user's current-user-principal. FWIW, I have gone to Google's Developer Console and set up client information and it seems to work perfectly fine for CalDAV access.

Here is a snippet of the HTTP traffic for CardDAV:

PROPFIND https://www.googleapis.com:443/.well-known/carddav/
Depth: 0
Content-Type: text/xml
Brief: T
Authorization: Bearer ya29.1.AADtN_UD1CVKpIQPsyB4HzoKVxt4L5kPFXU3GucMTfJmJj9t0pzZqX1i3Xx748Y
<?xml version="1.0" encoding="utf-8"?>
<x0:propfind xmlns:x0="DAV:">
  <x0:prop>
    <x0:current-user-principal />
    <x0:principal-URL />
    <x0:resourcetype />
  </x0:prop>
</x0:propfind>

vvvvvvvvvvvv

HTTP PROPFIND Status(403) Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<errors xmlns="http://schemas.google.com/g/2005">
 <error>
  <domain>GData</domain>
  <code>insufficientPermissions</code>
  <internalReason>Insufficient Permission</internalReason>
 </error>
</errors>

If anyone has some insight as to why this might be happening, it would be greatly appreciated.

Red

You need to request access for Google Carddav API, i.e. https://www.googleapis.com/auth/carddav

I fear that still might not be enough rights, because even with that permission (and also the permission for https://www.googleapis.com/auth/contacts) I get empty reports for my addressbook. That's very strange. Even after putting a contact with my client.

I have been playing around with this today and succeeded just now. I am using two oauth scopes

https://www.googleapis.com/auth/carddav

https://www.google.com/m8/feeds

I was getting a 403 when just using the second one. I then do a depth 1 propfind on getetag and then a multiget to get the vcards. The response is super speedy.

p.s. With the URL you are using you will also get an http-redirect