4

I have set up an integration using GSuite Domain wide delegation + service account which allows us to act as any user within our domain.

Currently this method isn't a very "user friendly" option for our customers at rulerr.com and I'm seeking to run through the Oauth2 consent process for other domains outside of our Organization.

Ideally they would be able to consent as an admin (known as admin consent) and then we can access all user data (calendars/mail/drive) by simply retrieving a token or two.

This is possible via Microsoft Graph with application and delegated permissions (see https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/)

Can anyone tell me if this is possible in GSuite? I cannot find any information other than for service accounts for a single Organization.

laurieodgers
  • 109
  • 11
  • Did you read any of these documentations? https://developers.google.com/identity/protocols/OAuth2ServiceAccount https://developers.google.com/admin-sdk/directory/v1/guides/delegation – Bravin Balasubramaniam Apr 11 '17 at 05:20
  • Hi Bravin, thanks for the reply. Yes I have read that page - it was that page that allowed me to create the original integration which unfortunately only allows access to the organization in which the service account is set up. – laurieodgers Apr 11 '17 at 06:12
  • 1
    service account is not depend on the domain if you want the service account to work on different domain you have to ask the domain admin to put the client ID and the scope into the admin console API access page. – Bravin Balasubramaniam Apr 11 '17 at 06:24
  • Yes this is certainly an option, however I don't find it to be a very user friendly method. I was hoping that we could present an admin consent page which would alleviate the technical/manual method of adding the integration details to the API access page? – laurieodgers Apr 11 '17 at 06:45
  • 2
    If you want do that only option is to publish your application in the google app marketplace so you can provide consent page through Marketplace SDK configuration. read this document for further details https://developers.google.com/apps-marketplace/preparing – Bravin Balasubramaniam Apr 11 '17 at 09:49
  • That link is very useful - thank you. However it doesn't describe the Oauth2 consent + service account process. I have set up an oauth 2.0 client ID as well as a service account within the API console, I can consent using the oauth2 client ID and receive an access token but I can't work out how to get the user id (email) of the administrator in order to authenticate through the service account? – laurieodgers Apr 13 '17 at 06:18

2 Answers2

3

For anyone looking for an answer to this question with more detail than what is available in the Google API documentation, this page helped me a lot: http://youdontneedacrm.tumblr.com/post/81479000201/tutorial-create-your-application-in-google-marketplace

laurieodgers
  • 109
  • 11
1

"Admin consent" is given when the admin of rulerr.com authorizes the client_id of your API Service Account in their G Suite domain. This can be done two ways:

  1. Admin of rulerr.com adds your client_id to the Security-->Manage API Client Access section of the G Suite admin site. This grants your API client access to all accounts in their domain instance for the scopes authorized.
  2. If you enable the Marketplace SDK in your API project and create/deploy a marketplace app, their admins can install that app to their domain which grants consent for all users, except they can OU limit it so that it is only granted for users in the OUs they choose.
Michael
  • 1,428
  • 3
  • 15
  • 34