Apps Marketplace SSO

1
votes

We have a Google Apps Marketplace App (that is also available as a consumer App in the Chrome Webstore).

We are have the following problems with SSO:

1) We are using the following OAuth2 scopes:

openid
profile 
email 
https://www.googleapis.com/auth/drive.install
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.readonly

in the redirect to 

https://accounts.google.com/o/oauth2/auth

3) I cannot enter the scopes 

openid
profile 
email

into the Google Apps Marketplace SDK console. I used:

https://www.googleapis.com/auth/userinfo.email  
https://www.googleapis.com/auth/userinfo.profile

instead (which are deprecated).

We also request 

https://www.googleapis.com/auth/cloudprint

there (because we might need it later on)

4) I can install the app as domain administrator and use it normally (without any authorization dialog).

5) When I try to login as a domain user, an authorization dialog appears. How do we prevent this?

6) When the user want to connect a cloud printer to our app, we later request the required scope (which we need for offline use (ie we need a refresh token), because it is used for data coming in over an API interface). Even the domain admin is asked for permission in this case. How do we prevent it?

2
single-sign-ongoogle-apps-marketplace

2 Answers

2
votes

you need to add following scope in the "Google Apps Marketplace SDK" console in addition to the default scope

https://www.googleapis.com/auth/plus.me

click "TEST INSTALL FLOW" if not already installed

Then go to admin.google.com search for your application and open it. Then under Data access provide grant.

Now you can you login to the application with any domain user and it won't ask for consent.

Hope this helps.

1
votes

I think app installed by domain admin doesn't auto-approve offline access yet.

See Google Apps Marketplace SDK + Domain-wide OAuth 2 SSO