0

I'm running into an issue attempting to use the provisioning api groups scope in a readonly mode.

I've authorized my service account in a google apps domain with the following scope

https://apps-apis.google.com/a/feeds/group/#readonly

Which according to this document is the correct scope.

Requesting an auth token with a scope of either: 

`https://apps-apis.google.com/a/feeds/group/#readonly`, or `https://apps-apis.google.com/a/feeds/group/`

results in an invalid_scope error.

If we look at the actual provisioning docs at https://developers.google.com/google-apps/provisioning/auth the scope is listed as https://apps-apis.google.com/a/feeds/groups/.

Using the readonly version of this scope (https://apps-apis.google.com/a/feeds/groups/#readonly) in the google apps admin panel results in the results in the following errors:

  • requesting an auth token for https://apps-apis.google.com/a/feeds/groups/#readonly, raises an invalid_scope error.
  • requesting an auth token for https://apps-apis.google.com/a/feeds/groups/, raises an access_denied. I believe this would be expected behaviour as we did not authorize a read/write version of the scope.

We have tried all different combinations of the scopes, but have had no luck. The only way that everything works as expected is if we both authorize, and request an access token with the https://apps-apis.google.com/a/feeds/groups/ scope. In our use case, we cannot allow read/write privileges on this API.

Other examples of inconsistency in the docs:

What is the official supported read-only scope for the groups provisioning api?

mvliet
  • 56
  • 2

1 Answers1

0

The read-only scope only works with Marketplace apps and 2-legged OAuth.

You could create a delegated admin who only has read, not create, update or delete rights to groups. Then use the read/write scope. The scope won't block write operations but the users delegated rights will.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59