0

Google's docs are not too clear on whether this is possible.

I have an OAuth configured for SSO into my organisation's application which is working correctly.

I also wish to create a Google Workspace Marketplace App (https://workspace.google.com/marketplace) which is installable by other organisations which will allow me to query (or possibly receive change notifications) on their directory of users, ultimately with the end goal of automatically provisioning their users within my application (This application will be a backend application which will run periodically).

Is this possible?

Mark Walsh
  • 3,241
  • 1
  • 24
  • 46
  • I've never tried this before nor have the experience, but I believe this can be possible via the Directory API (see developers.google.com/admin-sdk/directory). Once a user gives authorization to your app, you could query the info you need from the user using the API, then pass it to your backend application. However, you may possibly encounter this issue about "Not Authorized to access this resource/api" when using the API, given the users of your app will be from different organizations/domains. More info can be viewed at stackoverflow.com/a/64258641/15384825. – Irvin Jay G. – SputnikDrunk2 Jul 16 '21 at 16:44

1 Answers1

0

So this is possible. You have to create a Marketplace App as described here:

https://developers.google.com/workspace/marketplace/how-to-publish

And also enable domain-wide delegation:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

You then will be able to impersonate admin users for specific (I couldn't figure out a way of authenticating without performing impersonation)

Code snippet in C# - NOT PRODUCTION GRADE CODE

using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Admin.Directory.directory_v1.Data;
using Google.Apis.Services;
using System.Linq;

namespace AdminSDKDirectoryQuickstart
{
    class Program
    {
        static string[] Scopes = { DirectoryService.Scope.AdminDirectoryUserReadonly };
        static void Main(string[] args)
        {
            var credential = GoogleCredential.FromFile("credentials.json")
                .CreateWithUser("YOUR_ADMIN_USER@ORGANIZATION.COM")
                .CreateScoped(Scopes);

            var service = new DirectoryService(new BaseClientService.Initializer()
            {
                HttpClientInitializer = credential
            });

            var request = service.Users.List();
            request.Customer = "my_customer"; // Alias for the customer of the admin user specified in the credential
            request.MaxResults = 500;
            var result = request.Execute();

            foreach (var user in result.UsersValue)
            {
                // Do something with the user
            }
        }
    }
}
Mark Walsh
  • 3,241
  • 1
  • 24
  • 46