0

My organisation (Polish Scouting Association) has it's own google apps domain, and every scout is entiteled to have one e-mail address.

We decided to create an WWW application in which user can authorize, and sets up his own google apps account. To do this we need to have a progammatic, non-interactive a way to create google apps accounts.

To be clear:

  1. User logs in to our application using credentials we use throught out organisation
  2. He initiates google apps account creation
  3. Our application creates his google apps account

This could be done using Google Data API, which is deprecated. Another way seems to be via Google Admin directory API, but according to the documentation there needs to be physical human user to authorize requests using Oauth2.

In the example following flow is proposed: 

flow = OAuth2WebServerFlow(CLIENT_ID, CLIENT_SECRET, OAUTH_SCOPE, REDIRECT_URI)
authorize_url = flow.step1_get_authorize_url()
print 'Go to the following link in your browser: ' + authorize_url
code = raw_input('Enter verification code: ').strip()
credentials = flow.step2_exchange(code)

And it seems that I need to use OAuth2 scheme, which (I guess) implies that some living person with admin right authorizes every request, in our case we obviously want user to be able to initialize account creation.

Is this possible using this (or any other) API?

jb.
  • 23,300
  • 18
  • 98
  • 136

2 Answers2

2

You're right, the current way to create a user is the Admin SDK Directory API.

And the good news is while you do need OAUth credentials, you do not need a human to authorize the request every time. You simply have to store the credentials in your app so that it is allowed to perform the required action every time.

You have two options :

  • Perform the OAuth manual authorization once, and store the credentials in a file or database. The credentials are simply two strings called access token and refresh token. Note that the authorization must be provided by a super admin user so that the app can create users.

  • Use a service account and domain wide delegation to authorize your app to impersonate any user, then impersonate a super-admin user to perform the Directory API actions.

I believe the first option will be simpler for you.

In any case, what you will end up with is an access token, that is valid for 1 hour. This access token is what will grant your application access to the API. After one hour, you will need to get a new refresh token, which is done differently depending on the option you've chosen.

If you have chosen to perform the manual operation once, you got a refresh token. That refresh token is valid forever and is used to, well, refresh the access token. Actually, that just means that you get a new access token.

If you have chosen the service account option, then you simply re-generate the access token from the service account's private key.

Note that in both cases, Google's OAuth 2 Python library (required for the Admin SDK library) will handle the refresh work for you.

David
  • 5,481
  • 2
  • 20
  • 33
  • Any documentation about how long the token will be valid? – jb. Sep 20 '14 at 07:56
  • The token is valid one hour, but can be refreshed for as long as you need. I added more details in the answer. – David Sep 20 '14 at 09:01
  • Thank you for your answer, it got me on the right track. I unaccepted your answer, and will accept my own in due time, sorry for the lost reputation, but I guess that getting this working was hard enough so it is worthwile to share my solution. – jb. Sep 20 '14 at 15:28
1

@David answer got me on the right track, but I had some problems with using a service account.

Solution

I decided to use service account and impersonation API, beware that this gives a very high level of access to your applicaiton and raises the security bar consideably!

Anyways, here is what you need to do:

Set up a service account

Follow this tutorial, but when setting up credentials create a service account

Here is the revelant part of page:

(...) you can activate the Admin SDK yourself in the Developers Console by doing the following:

  • Go to the Google Developers Console.
  • Select a project, or create a new one.
  • In the sidebar on the left, expand APIs & auth. Next, click APIs. In the list of APIs, make sure the status is ON for the Admin SDK.
  • In the sidebar on the left, select Credentials.
  • In either case, you end up on the Credentials page and can create your project's credentials from here.

If you haven't done so already, create your OAuth 2.0 credentials by clicking Create new Client ID under the OAuth heading. Next, look for your application's client ID and client secret in the relevant table You may also create and edit redirect URIs from this page.

Domain wide delegation of authority

Perform a domain wide delegation of authority to your code, using this guide..

  1. Go to your Google Apps domain’s Admin console.
  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
  3. Select Advanced settings from the list of options.
  4. Select Manage third party OAuth Client access in the Authentication section.
  5. In the Client name field enter the service account's Client ID.
  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar Click the Authorize button.

Please note that you'll need to provide Client ID not Email Address in step 5.

See this for list of scopes.

Install required dependencies

Install google-api-python-client, PyCrypto an PyOpenSSL (you may omit PyOpenSSL), but then you'll need to convert downloaded certificate.

You can use following sample to perform authentication

with open('private/key-filename.p12', 'rb') as f:
    private_key = f.read()

credentials = SignedJwtAssertionCredentials(
   'user-email-@developer.gserviceaccount.com', # Email address [1]
   private_key,
   'https://www.googleapis.com/auth/admin.directory.user',
   sub="impersonated-user@foo.bar" # Impersonate user [2])
  • Where 1 is an service account e-mail address, and 2 is an already existing address of admin user in your domain. From now on all actions taken by the API will be performed using this (marked by 2) user authorisation and credentials.
  • Note that 1 contains Email Address of Service account (this is different from Client ID) in step 5.

Now you should have read-write account to your API.

jb.
  • 23,300
  • 18
  • 98
  • 136