As far as I understand, oauth2 is the way to go for Google Apps authentication (not openId anymore). However I am still a bit confused about authorization: can you use at the same time 3-legs oauth2 (for contacts, calendar and drive access...) and 2-legs oauth1 (for shared contacts, administration, licensing...)? Or do yo have to use exclusively 2-legs oauth1 (to give full control to domain administrators for example)? Thanks.
Asked
Active
Viewed 113 times
1 Answers
0
You can use Service Accounts in OAuth2 and acess APIs as domain administrator or impersonating a user.
Read more @ https://developers.google.com/accounts/docs/OAuth2ServiceAccount
AMS
- 244
- 6
- 21
-
I am currently using auth1 for domain-wide access and it works fine, but thanks for the tip. Anyway, my question is more about best practices. Before oauth2 we had to use openId (for authentication) + 2-legs oauth1 (for authorization) and that was pretty straightforward. Now, we can use oauth2 for both authentication and authorization, as well as domain-wide authorization (v1 ou v2). What is recommended? For a domain administrator, it might be interesting (or no) no to give too many domain-wide authorizations... – Ben.SaaSt Nov 07 '13 at 09:52
-
The adoption of OAuth2 by Google is more than just supporting the protocol. To get hold of OAuth2 credentials you need to set up an API project (https://cloud.google.com/console), which has an ID. Then a domain admin must allow access to certain scopes for that ID. Any other API with a scope not listed there just won't work. I think this an improvement over the 2-legged OAuth CONSUMER_KEY (domain) + CONSUMER_SECRET. – AMS Nov 07 '13 at 12:20