For an html-type calendar sidebar gadget with module prefs,

<Require feature="opensocial-0.9"/>
<Require feature="osapi" />

where calls to osapi.http all successfully send, this results in a 404 response:

osapi.people.get({userId:'@viewer'}).execute(function(response) {
    console.log(response);
});

This is wrapped in a POST to the same RPC endpoint as the osapi.http calls, with the post object as expected:

[{"method":"people.get","id":"people.get","params":{"userId":"@viewer","groupId":"@self"}}]

There was no difference in behavior with either osapi.http or osapi.people when the gadget Required either opensocial-0.8 or opensocial-0.9. I assumed that no auth token is required for this call--is that true? Does google calendar support osapi.people?

I instead used the JS API Client Library and followed the sequence in Authentication using the Google APIs Client Library for JavaScript. Your scopes can contain either explicit URLs or claims, such as 'openid' (see OpenID Connect explained). This will result in a

GET https://accounts.google.com/o/oauth2/auth?client_id=...

where the URL of the request parameter 'origin' (ex: https://....opensocial.googleusercontent.com) must be among your Authorized Javascript origins for your client in Google Developers Console.

The returned authResult should contain an access_token. If not, then possible causes of authResult.error_subtype...

• 'origin_mismatch': origin is not among authorized origins
• 'access_denied': scope didn't include identity URL or 'openid'