How can impersonate a Domain to Access Google API Admin SDK with Oauth2?

Question

We have several apps Deployed on Google Apps Marketplace using OAuth 1.0 protocol. According expiration OAuth 1.0 in Google Platform we are trying to migrate all the apps to new OAuth version but we are facing some difficulties regarding background request to Google Admin SDK Directory API.

In our apps we need to request for Domain user accounts, groups and other stuff related Email Domain structure. Until OAuth 1.0 we have been doing this with 2-LO (Two-Legge OAuth) so basically once Admin gave us access we can impersonate request for domain using this mechanism.

After reading all Google Documentation about Google API, Oauth Mechanisms and stuff, and after trying some code test hypothesis too, we haven't figured out yet how can we managed the same concept with OAuth 2 because of the following:

1. Using Web Server Oauth 2 Strategy simply will not work because in that scenario we would be getting a Domain user Access to Admin SDK. If we keep their access/refresh token pair to later querying Admin SDK and the user is deleted because Domain change it Admin we will be disconnected from flow.

2. I supposed in that case the best choice was Service Account strategy. The problem with this scenario is the user has to manually configure access to the App in their Admin Console according to the Google's document domain-wide delegation authority (https://developers.google.com/+/domains/authentication/delegation#create_the_service_account_and_its_credentials). This is really awkward for us since we were managing all application installation interactively and we don't want to remove User Experience facilities.

Finally, my questions are:

1. Is there any way to do domain-delegation authority with OAuth 2 with no manual user configuration, full interactively?
2. Is there any way to do this without needing user email, which in fact is one of the parameters in Service Account Oauth2 Strategy?
3. Must we keep 2-LO Authentication for this scenario and do OAuth 2 only for installation Google Marketplace part?

Any comments or guide will be wellcome.

Best,

Answer 1

1. Certainly - in the latest update to the Google Apps Marketplace, the act of installing an App means the admin doesn't need to do an additional manual step.

2. You need a way to impersonate a user in a Service Account. Depending on how you implement your application, you might need to utilize the Directory API.

3. OAuth1 is going away eventually so I recommend you use OAuth2 throughout to simplify your code complexity.