Our app has a requirement to access to all Gmail mailboxes pertaining to a Gsuite account. I am able accomplish this, by following the instructions at https://developers.google.com/admin-sdk/reports/v1/guides/delegation. i.e. manually creating a service account key, enabling domain wide delegation on the credential and assigning appropriate permissions manually in the G Suite Admin area. This appears to work when manually setting it up for each our clients, however, the process is complex and cumbersome and is a barrier to adoption.
In attempt to implement a one click signup process, as per the requirement for G Suite marketplace, I create an OAuth client ID (as opposed to service account) and use this credential to redirect the user through consent process as part of the signup process. Thereafter, use the refresh/access credential to access the G Suite API's. This works wonderfully, except I am only able to access the mailbox of the logged in user (not anyone else in the domain). Domain wide delegation does not appear to be available with a client ID credential.
I do realize that service account credentials have a client ID, but they do not allow the ability to specify acceptable redirect URI's. Therefore, consent process seems impossible to implement using a service account.
My app is registered with the Chrome store. How can one create a credential, use consent process to accept permissions, and still have the benefit of domain-wide delegation?
If you wish to use a service account when authenticating query API calls, a domain administrator can grant the account domain-wide access to user data — this is known as domain-wide delegation of authority. A service account with delegated authority can impersonate any user, including users with access to Cloud Search.
When all third party API access is blocked, an app will not be able to access any Workspace user date, across web and mobile. If users try to authorize an untrusted app, they'll see an authorization error message. Admins can customize this error message if they choose.
It seems I need two credentials.
1) Google user authentication - Client ID credential (using secret)
2) Gmail API's access - Service account credential (using private key) with delegate permission enabled
The Client ID credential in 1) is suitable for authentication or making API calls on behalf of the user (provided consent is given). However, the credential won't work when accessing multiple mailboxes. In this case, a service account credential (2 above) is required.
When using a service account credential, it is still necessary to obtain permission from the user to access specific API scopes. These permissions/OAuth scopes are specified in the Google Marketplace SDK config.
Go to Google Cloud Platform -> API's & Services Daskboard -> Click Enable API's And Services -> Type Google Marketplace SDK in search box -> Select Google Marketplace SDK -> Click Manage. In Configuration tab, add the required Scopes.
The G Suite admin is prompted from within Google Marketplace to allow scoped permissions when accessing the app for the first time. Unlike Office 365, the consent process is not handled through a consent redirect. The app must be accessed initially from within the Google Marketplace for the correct delegate permissions to be assigned.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With