0

As an ISV, I want to provide multiple customers of mine (and Google's) the ability to collect data from the Directory API. Since our app is headless, it seems that Domain-Wide Delegation is needed for customers to authorize our app, however it seems to me that it creates a security hole. If our app (again, headless) is authorized to customer A's account, and also to customer B's, what would prevent customer A seeing (collecting) customer B's data and vice versa?

Since the only authentication in this case is our app to the API, what is the recommended approach to prevent this situation from occurring? A different client ID for each customer? Wouldn't that mean that each customer also has to have a Google Developer account? Or, are we faced with having to manually create a separate service account for each customer?

(My app is working fine, BTW, just seems insecure to me)

MushyMiddle
  • 419
  • 6
  • 14
  • To make it clear, only admin will access to all the customers data. If Customer A authories your app, its not that customer B can access customer A information. For example, If A shared its Drive files read access with your app, then only admin of the app will have access to it. Unless A shares it information with B or admin gives access to it. You can also control the information your app is requesting by setting the proper scopes. – SGC Oct 21 '15 at 19:36
  • @SGC Thanks for the response. I remain unconvinced, so will have to test my theory when I can get a partner to test my app, and see if I can collect their data without any access to their account. Given how the API works, and how Domain-Wide Delegation works, I don't see anything that would prevent a clever customer who knows about another customer from collecting their data - the only "authentication" done in the API, aside from the app's client ID/key is the so-called "user e-mail", which is to say the e-mail address of the admin in the target domain. – MushyMiddle Oct 23 '15 at 14:56

1 Answers1

1

To answer my own question, after testing this on another customer's GfW account, this is just as insecure as I thought it was. I had no problem collecting data using the same service account creds from two different accounts, the sole "secret" being the admin e-mail address for each account.

This is a missing piece in Google's documentation: Domain-Wide Delegation should not be used using the same service account credentials on multiple accounts, or those accounts will be able to access each other's data. So, if you plan on delivering an app to customers that needs headless API access, either use something like the OAuth web server flow, or create a separate set of service account credentials for each customer.

Left unclear in Google's docs are what limits, if any, exist on the number of credentials or apps a developer can create, so if you plan on having a lot of customers, service accounts and DWD may not be an option.

MushyMiddle
  • 419
  • 6
  • 14
  • I was worried about the same thing, this seems so arbitrary for google to do. Either you can must use a user to authenticate tokens (each hour) or you must authorize a server/app to have complete use over whatever permissions it gives - in the whole domain! The only saving grace seems to be that for documents and spreadsheets you can't access them without knowing the ID ahead of time. – Jono Jul 28 '17 at 16:30