Obtaining persistent token for accessing users data under Google domain

Question

I am trying to implement a Google APPs Marketplace application. Some parts of the application are web-based and other parts simply need offline access to users data.

During installation, the Google domain administrator grants access to the data required by the application (e.g Calendar).

For the web-based part of the application, users use OpenID+OAuth, so the application can access the user's data (this works fine).

Questions:

1. What should be the best practice for the offline part to gain access to users data ?
2. Do I have to store a persistent access token for EACH user in the domain ?
3. Can I avoid the need for each user to grant access to their data (after domain administrator has already done this at the domain level) ?
4. Is there a way to utilize OpenId from a background application ?

Answer 1

Since Sean M in fact answered you to the question no. 4 with his comment, I will handle other three:

You can use 2-legged oAuth. Using 2-legged oAuth, application can access services and data that were granted to it during installation process (for example Read/Write access to Calendar) without any additional approval from user.

In 2-legged oAuth there are no tokens. Instead, the app is provided with oAuth key and secret and uses these to access Google services and read/write data.

More reading: http://code.google.com/intl/cs/googleapps/marketplace/tutorial_java.html#Integrate-OAuth