GSuite Marketplace app with Service Account

1
votes

Trouble getting Service Account authorized for Marketplace app

In the process of publishing our app, we require two types of consent:

  1. Directory-wide consent by an admin for SSO, on behalf of all users ("https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile").
  2. Domain-Wide authority of https://www.googleapis.com/auth/calendar.events

The credential type we are using for 1 is OAuth Web ClientId, since there is a browser-based user login. The credential type we are using for 2 is Service Account, since we want to read calendars offline.

The problem is when the app is installed from the marketplace, only the OAuth WebClientId is added to "Authorized API clients" in the installer's Gsuite Admin portal. The service account is not added, and therefore doesn't get access.

What is the solution? We tried "Enable Domain-Wide authority" on the Service Account, it did create an OAuth Web ClientId, but it does not allow for setting up redirect URLs.

1
google-apigoogle-oauthgoogle-apps-marketplacegoogle-workspace

1 Answers

1
votes

Apparently we already had access via the service account - it is not necessary for the service account client_id to appear in Authorized API Clients"

As long as 1) You enable "domain-wide authority" on the service account 2) The App project is the same project as the service account

It should work