4

When a user logs on to our Marketplace V2 app, we need to know which Google Apps account the user belongs to.

The id_token contains the 'hd' parameter (the domain name), but that's not enough, as a Google Apps account can have multiple domains.

CustomerId seems like a good primary key to match users to the correct Google Apps account. The problem is, it doesn't seem to be included in the id_token. Is there some way to figure out what the CustomerId of a user is.

The Admin SDK would be one option, but in almost all cases, calls to the Admin SDK fail with "Domain cannot use APIs". I read in a previous answer that Google automatically (re-)enables API access when an administrator installs a Marketplace app, but that can't be true because a call to the Admin SDK hardly ever works.

Does anyone have any suggestions on how to get a customerId or other primary key otherwise, or another trick to get the Admin SDK working (without having to instruct people to change their Google Apps Scurity settings, because that pretty much defeats the point of an effortless Marketplace installation).

Thanks!

user3256616
  • 103
  • 1
  • 1
  • 5

1 Answers1

6

To make the Admin SDK work after installation of your Google apps marketplace app, you must :

  • add the admin SDK to your cloud project

  • add the Google Apps marketplace SDK to your cloud project

  • go into the configuration of the marketplace app and add the required admin SDK scope

After installation, your service account will have permission to call the Admin SDK on the domain that installed your marketplace app.

The docs state : To retrieve the customerId, use the Retrieve a user operation.

So you will need at least this scope :

Additonally, you will need to know the email address of a adminstrator at the domain.

On a side note : I believe you can use "my_customer" as a replacement for the customer ID in API calls, at least for the admin SDK.

update : http://googleappsupdates.blogspot.be/2014/09/new-features-in-admin-sdk-custom-user.html Historically, only admins have been able to access the data in the Admin SDK. Beginning today, any user (not just admins) will now be able to call the Directory API to read the profile of any user on the domain (of course, we will respect ACLing settings and profile sharing settings).

koma
  • 6,486
  • 2
  • 27
  • 53
  • We're already using all necessary scopes but those steps are not enough to use the Admin SDK, I'm afraid. As explained above, there's an additional setting that needs to be enabled that otherwise prevents the Admin SDK from being used. It's in the Admin panel under Security > API Reference > "Enable API Access". This setting cannot be modified by a Marketplace app. So if it's off (and we've found it's off a lot, if not most of the times!), calls to the Admin SDK fail and there's no way to get a customerId or even query users. – user3256616 Aug 18 '14 at 08:37
  • Some APIs require the API access to be enabled using the Admin console. In your initial console configuration, this setting is enabled. https://support.google.com/a/answer/60757?hl=en; You will have to feedback this problem to the end user then. – koma Aug 18 '14 at 08:56
  • Right, hence my initial question if there's some other way to get a customerId. Having to ask the user to change those settings is not really a seamless experience, and many won't change it, but finding some way to uniquely identify a Google Apps account is necessary for the app to work. – user3256616 Aug 19 '14 at 15:53
  • 1
    We are aware of this issue and are working on ways to solve this use case. – Eric Koleda Sep 11 '14 at 18:54
  • 1
    Even with non-admin access to directory API, a non-admin domain_public user request does not return customerId field (only core fields like name, email ...). It is part of response only with admin user. So how can i get customerId or some other "primary key" google apps domain attribute? – user3686724 Oct 09 '15 at 12:21
  • I ended up having to use `my_customer` i couldnt' figure out what the heck to set the customer ID to. thanks for the tip! – Nicholas DiPiazza Aug 19 '16 at 18:27
  • 1
    @koma - "The docs state : To retrieve the customerId, use the Retrieve a user operation." But how is this possible when the operation itself requires the customerId?? Where do we find the customerId otherwise? – Ben Davis Feb 05 '19 at 19:53
  • Tried it today, as @user3686724 mentioned, even if the API is accessible to non admin users, the response returned by the endpoint for the domain_public does not contain the organization ID. I don't know why it is so difficult to get that ID, we need a stable mechanism to identify an org. Domain is not enough, it's not stable, and can be changed. – HHK Sep 28 '20 at 09:42
  • @EricKoleda it's been 6 years, should I re-open a ticket on Google support ? It's really not ideal to have to rely on the hosted domain or other unstable keys to identify the customer. – HHK Sep 28 '20 at 09:48
  • @HHK @EricKoleda By any chance you managed to find an updated solution to this? My app needs this `CustomerId` badly for the exact purpose, on regular, non-admin users. I encountered the same thing: the Users endpoint does not return `CustomerId` for `domain_public` view (the only view standard users can use), and the `Customers` endpoint return 403 when attempting to use `my_customer` on a standard user. I've tried for days and hours to find a way to get `CustomerId` when a standard G Suite/Workspace user signs into our app via Google Identity without success. – thankyoussd Sep 24 '21 at 22:47
  • No I opened a ticket to Google support but I did not get an actual solution from them. Maybe open a ticket as well, they might one day add this in their API. – HHK Sep 30 '21 at 15:58