GSuite Service Account + OAuth2 for other domains

3
votes

I have set up an integration using GSuite Domain wide delegation + service account which allows us to act as any user within our domain.

Currently this method isn't a very "user friendly" option for our customers at rulerr.com and I'm seeking to run through the Oauth2 consent process for other domains outside of our Organization.

Ideally they would be able to consent as an admin (known as admin consent) and then we can access all user data (calendars/mail/drive) by simply retrieving a token or two.

This is possible via Microsoft Graph with application and delegated permissions (see https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/)

Can anyone tell me if this is possible in GSuite? I cannot find any information other than for service accounts for a single Organization.

2
google-admin-sdkgoogle-workspace
Did you read any of these documentations? developers.google.com/identity/protocols/OAuth2ServiceAccount developers.google.com/admin-sdk/directory/v1/guides/delegationBravin Balasubramaniam
Hi Bravin, thanks for the reply. Yes I have read that page - it was that page that allowed me to create the original integration which unfortunately only allows access to the organization in which the service account is set up.laurieodgers
service account is not depend on the domain if you want the service account to work on different domain you have to ask the domain admin to put the client ID and the scope into the admin console API access page.Bravin Balasubramaniam
Yes this is certainly an option, however I don't find it to be a very user friendly method. I was hoping that we could present an admin consent page which would alleviate the technical/manual method of adding the integration details to the API access page?laurieodgers
If you want do that only option is to publish your application in the google app marketplace so you can provide consent page through Marketplace SDK configuration. read this document for further details developers.google.com/apps-marketplace/preparingBravin Balasubramaniam

2 Answers

3
votes

For anyone looking for an answer to this question with more detail than what is available in the Google API documentation, this page helped me a lot: http://youdontneedacrm.tumblr.com/post/81479000201/tutorial-create-your-application-in-google-marketplace

1
votes

"Admin consent" is given when the admin of rulerr.com authorizes the client_id of your API Service Account in their G Suite domain. This can be done two ways:

  1. Admin of rulerr.com adds your client_id to the Security-->Manage API Client Access section of the G Suite admin site. This grants your API client access to all accounts in their domain instance for the scopes authorized.
  2. If you enable the Marketplace SDK in your API project and create/deploy a marketplace app, their admins can install that app to their domain which grants consent for all users, except they can OU limit it so that it is only granted for users in the OUs they choose.