4

I'm integrating some of our company's internal applications to use our GSuite instance for authenticating our employees when they log in, using GSuite's support for Open ID Connect.

However, our applications uniquely identify the users using our internal "employee ID" to log in, instead of our GSuite email address. I see that it is possible to store/manage an "employee ID" within gsuite, however I'm not sure how I can retrieve this information after the user has successfully authenticated.

Currently, I'm getting back a list of "claims" from the userinfo endpoint, but these claims only include the name and email address of the user. I also need the phone number and employee ID which we've configured on GSuite.

Is it a matter of requesting additional scopes to start off with? Or do I need to make a separate request to retrieve the additional user information?

I see that there is an Admin Directory API but it appears that would be for accessing the information of ALL users within the domain, whereas I'm only interested the extended details of the CURRENT user.

Barry Pitman
  • 3,087
  • 1
  • 24
  • 32

1 Answers1

0

Ultimately, I created a service account with scope https://www.googleapis.com/auth/admin.directory.user.readonly to call GET https://www.googleapis.com/admin/directory/v1/users/<current_user>. I had to delegate domain-wide authority to the service account, as well set it up to impersonate an admin user.

It seems like overkill, since I only need extended details of the current user, for which I already have an OAuth2 access token.

I found this question quite helpful in resolving the issue.

If anyone can provide an answer that makes use of the OAuth2 access token, I'd still appreciate it

Barry Pitman
  • 3,087
  • 1
  • 24
  • 32