How to perform G Suite domain-Wide delegation of authority without user intervention?

4
votes

Our app has a requirement to access to all Gmail mailboxes pertaining to a Gsuite account. I am able accomplish this, by following the instructions at https://developers.google.com/admin-sdk/reports/v1/guides/delegation. i.e. manually creating a service account key, enabling domain wide delegation on the credential and assigning appropriate permissions manually in the G Suite Admin area. This appears to work when manually setting it up for each our clients, however, the process is complex and cumbersome and is a barrier to adoption.

In attempt to implement a one click signup process, as per the requirement for G Suite marketplace, I create an OAuth client ID (as opposed to service account) and use this credential to redirect the user through consent process as part of the signup process. Thereafter, use the refresh/access credential to access the G Suite API's. This works wonderfully, except I am only able to access the mailbox of the logged in user (not anyone else in the domain). Domain wide delegation does not appear to be available with a client ID credential.

I do realize that service account credentials have a client ID, but they do not allow the ability to specify acceptable redirect URI's. Therefore, consent process seems impossible to implement using a service account.

My app is registered with the Chrome store. How can one create a credential, use consent process to accept permissions, and still have the benefit of domain-wide delegation?

1
google-apigoogle-appsgoogle-authenticationgoogle-workspace
Office 365 has the ability for a domain administrator to go through the consent process to authorize access for specific scopes for the entire domain. Google Apps doesn't appear to have an equivalent. From what I can see, it seems you must use service account for delegated access, and the Google Apps admin is expected to follow a complex procedure to add the scopes. Can anyone confirm this? I was hoping for a one click setup process.jamie

1 Answers

6
votes

It seems I need two credentials.

1) Google user authentication - Client ID credential (using secret)

2) Gmail API's access - Service account credential (using private key) with delegate permission enabled

The Client ID credential in 1) is suitable for authentication or making API calls on behalf of the user (provided consent is given). However, the credential won't work when accessing multiple mailboxes. In this case, a service account credential (2 above) is required.

When using a service account credential, it is still necessary to obtain permission from the user to access specific API scopes. These permissions/OAuth scopes are specified in the Google Marketplace SDK config.

Go to Google Cloud Platform -> API's & Services Daskboard -> Click Enable API's And Services -> Type Google Marketplace SDK in search box -> Select Google Marketplace SDK -> Click Manage. In Configuration tab, add the required Scopes.

The G Suite admin is prompted from within Google Marketplace to allow scoped permissions when accessing the app for the first time. Unlike Office 365, the consent process is not handled through a consent redirect. The app must be accessed initially from within the Google Marketplace for the correct delegate permissions to be assigned.