We've been working on an Google Apps-app meant to be installed by a domain administrator. We initially tried to list it via the (now deprecated) market listing, but all new submissions must now go through the Google Apps Marketplace SDK.
We're having an issue with the new GAM SDK SSO however - despite having installed it on our domain internally, each user is prompted via the consent screen when sending them to the OAuth login url. The OAuth url is asking for the same permission scope as is registered in the GAM SDK configuration screen.
The docs seem to be entirely conflicting on how to pull off non-challenged SSO for apps installed by the GA admin.
What url, with what params, we should be sending users to authenticate with GA without being asked for (presumably already granted) consent?
Whether you use the JWT operations or the traditional operations that create opaque string tokens, the basic use of the OAuthV2 policy is the same. You can use JWT access tokens with all of the supported OAuthV2 grant types. See also Introduction to OAuth 2.0.
Can you share the code with which you are asking for authorization?
9 out of 10 times, if each user in the domain is getting prompted, that is because you are asking for "offline" access. Domain wide authorization cannot be done for offline access. In Python for instance, you can do that like this -
constructor_kwargs = {
'redirect_uri': GOOGLE_AUTH_CALLBACK_URL,
'auth_uri': client_info['auth_uri'],
'token_uri': client_info['token_uri'],
'access_type' : 'online'
}
flow = OAuth2WebServerFlow(client_info['client_id'],
client_info['client_secret'],
SCOPES, **constructor_kwargs)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With