0

Currently using the Provisioning API that is being depreciated April 20.

This is the current flow:

  1. user (University Alumni) gets to our site http://alumni.columbia.edu/email
  2. they click on Create My Account
  3. they authenticate through our university WIND system using what we call their UNI
  4. they land on a page mentioning that an email account UNI@caa.columbia.edu is ready to be created. They can pick an alias to UNI. They also need to enter a password to use the Chat and POP-mail features of Gmail.
  5. they confirm the creation of the account. At this point the API is being called using https://www.google.com/a/feeds/, some data (email address, name, id) being saved in our database.
  6. To log in, they come through our site, click on the login button, this will use the SSO and they get logged in.

Based on the flow above, do I need to use OAuth2.0?

Vaibhav Mule
  • 5,016
  • 4
  • 35
  • 52
Izumi Bérat
  • 173
  • 4
  • 14

1 Answers1

0

Yes, you will need to authenticate with OAuth using the Installed Applications approach to do this. Instead of step 5 the way you currently have it, you'll need to call the API from a process on your server with an account that has (limited) admin credentials that can create the account with the Directory API. To do this, you'll need to persist the OAuth token information that the account will use to connect, and handle the code to refresh the token when it has expired.

The first time you run your code you'll need to manually authenticate that account to get your application the appropriate permissions so that they can be stored.

If you're hoping to not go too crazy with handling the authentication side of things and you're using .Net, I'd recommend checking out my project gShell that acts as a wrapper for the authentication and handles the token storing and refreshing for you. It's still a young project but it should fit your needs. Alternately, feel free to browse the code for an example on what to do.

If you plan on using Python, check out Google Apps Manager by jay0lee which is also a wonderful resource.

Community
  • 1
  • 1
squid808
  • 1,430
  • 2
  • 14
  • 31
  • Thank you! A follow up question, if I am using the Service account Client ID type which I believe is what I need when setting up the OAuth2.0, where do I find the Client secret? I seem to have a Client Secret only when I select the Web Application Client ID type. – Izumi Bérat Apr 17 '15 at 15:14
  • You only need a service account when you're impersonating the users, for instance to access information from their Drive folders (permissions, etc). When you're making administrative calls (creating users and such) you want a [Client ID for native/installed application](https://developers.google.com/console/help/new/?hl=en_US#installedapplications), I believe which gives you a client ID and secret and redirect URIs. To be clear, you're not giving your users access to that account, it's just making the calls for you in the back end after they've been verified. – squid808 Apr 17 '15 at 16:23