0

I want to authenticate Gsuite users in order for them to be able to create groups from my company's application, I have to do so using CURL, what URL should I send a post request to?

For example, if I want to login a user to Google plus, I would hit this url

CURLOPT_URL => "https://www.googleapis.com/plus/v1/people/me?access_token=" . $access_token,

What url is for Gsuite?

Lynob
  • 5,059
  • 15
  • 64
  • 114
  • I contacted Gsuite support, they told me to ask here and I did. – Lynob Nov 16 '18 at 01:15
  • Have you check the documentation for G suite Admin Settings(https://developers.google.com/admin-sdk/admin-settings/)? – MαπμQμαπkγVπ.0 Nov 16 '18 at 08:57
  • @MαπμQμαπkγVπ.0 I have read it, didn't find anything useful, have I missed something? In addition, there's a banner on that page that says `Warning: Admin Settings API will be deprecated soon.` So is this really the way to go? – Lynob Nov 16 '18 at 09:48
  • The method that you showed starting with `CURLOPT_URL` does not authenticate users. You are using an OAuth 2.0 Access Token which is already authenticated. If your goal is `authentication` with curl you cannot. You would have to implement the OAuth 2.0 flow which requires callbacks. If your goal is to access the Directory APIs with an existing token, that is much easier `https://www.googleapis.com/admin/directory/v1`. Rethink what you are asking and edit your question so that we can help you. – John Hanley Nov 17 '18 at 22:24
  • @JohnHanley i know I have an access token, my goal is to know whether an access token is valid or not. The user sends an access token from the client side, I want to check if his token is valid and if so, I want to get his info. – Lynob Nov 18 '18 at 00:26
  • @JohnHanley Someone at the company we bought the backend from, wrote this long ago https://pastebin.com/B1uFCY9b that's a login with google plus, notice how he appends the access token to the url and checks if it's valid, and if so pulls the detail of a user, I want to implement the same exact script, but by changing the CURL URL to Gsuite instead – Lynob Nov 18 '18 at 00:28
  • I just created and then updated my answer so that you know how to do this. – John Hanley Nov 18 '18 at 01:39

1 Answers1

2

If your goal is to retrive the information about a user in G Suite:

CURLOPT_URL => "https://www.googleapis.com/admin/directory/v1/users/john@example.com?access_token=" . $access_token;

Note: Please consult the Directory API on how delegation is performed. This is required. Normal Access Tokens will not work without Domain-wide Delegation enabled.

Your credentials (Access Token) will need the correct scopes:

https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user

Your credentials will need the correct delegation.

Python example:

SCOPES = [
        "https://www.googleapis.com/auth/admin.directory.group",
        "https://www.googleapis.com/auth/admin.directory.user"
        ]

key_file = 'google-directory-api-service-account.json'

SERVICE_ACCOUNT_EMAIL = 'directory@development-123456.iam.gserviceaccount.com'
ADMIN_EMAIL = 'gsuite-admin@example.com'

credentials = service_account.Credentials.from_service_account_file(
                        key_file,
                        scopes = SCOPES)

credentials = credentials.with_subject(ADMIN_EMAIL)

Domain-wide Delegation

See the bottom of this answer for common errors that I have seen when setting up G Suite access.

If your goal is to retrieve information stored within a Google OAuth 2.0 Token:

These urls expects a Google OAuth 2.0 Access Token. The alt=json specifies returning JSON.

Examples that you can test in a command prompt:

curl -k "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_TOKEN"

curl -k "https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=ACCESS_TOKEN"

There is also the v3 endpoint for :

curl -k "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ACCESS_TOKEN"

Common problems when setting up API access to G Suite:

  • Access Not Configured. Admin Directory API has not been used in project 123456789012 before or it is disabled.

Go to the Google Cloud Console. Enable the API for Admin SDK.

  • Not Authorized to access this resource/api.

You have not setup Domain-wide delegation correctly.

  • Client is unauthorized to retrieve access tokens using this method

You tried to setup Domain-wide delegation on an existing service account. You need to create a new service account that does not have any IAM Roles assigned.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Awesome! Thank you so much – Lynob Nov 18 '18 at 01:42
  • Everything works great, but I had to load the original for the project, not the json file of the service, that did not work, in your example it seems that you are using the json file of the service you created, not the json file of the project, am i mistaken? – Lynob Nov 19 '18 at 01:41