3

I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.

I have a requirement whereby I have to check the credentials of users created using SDK. When you fetch the users the password is not returned, hence comparison cannot be done.

I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.

Thanks.

baba.kabira
  • 3,111
  • 2
  • 26
  • 37
  • Why do you need to "check" a user password when you've clearly already set it when creating the user? What are you checking for? – Jay Lee Nov 30 '13 at 16:36

2 Answers2

2

Google does not ever return the value of the password. That would be a monumental security risk.

See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.

If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis

Joseph Alcorn
  • 2,322
  • 17
  • 23
  • Actually I've got the same problem as @gbagga and there is no API in the [link you provided](https://developers.google.com/accounts/docs/OAuth2Login) to test a user / password because it's OAuth. And using such API will request the user its credentials a second time. – Anthony O. Feb 19 '14 at 11:35
  • Anthony, you are right, and I realize now that my answer was misleading. I probably should have added that using the API will mean that you will have still have to do some work manually or with an automation tool, as the API will only provide confirmation that a login was successful after it points the user to Googles Account login page. Your answer would work to that end, but I still question the need to confirm a password set at account creation. Is there a question about the reliability of Google's APIs? – Joseph Alcorn Feb 19 '14 at 18:38
  • Actually my use case is to create an enterprise SSO which would import my users from Google at the moment he/she logs in the SSO system. As I cannot retrieve his/her pass, I must check it against the Google system, which I couldn't do obviously with some Google API :( – Anthony O. Feb 20 '14 at 08:33
  • 1
    Ah, that makes sense. I hate requirements that make you create nasty workarounds. Good luck with the project – Joseph Alcorn Feb 20 '14 at 13:15
0

At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.

Anthony O.
  • 22,041
  • 18
  • 107
  • 163