We have an app in the Google Apps Marketplace (the new one, i.e. using OAuth2) which needs to get a list of users in the domain.
We're currently using the Provisioning API for this (which we know is deprecated, but there seems to be no better option). Lately however, we're starting to get "You are not authorized to access this API" 403's, for some domains.
Does anyone know why we're suddendly getting 403's, a bug perhaps? There seem to be some other bugs as well, for example the scope https://apps-apis.google.com/a/feeds/user/#readonly doesn't work, but https://apps-apis.google.com/a/feeds/user/ does.
Does anyone know when it will be possible to start using the new Admin SDK Directory API to get a list of users? This isn't possible now because even when an administrator installs the app, it would only work if they go to their domain security settings and manually check "Enable API Access", see the related question here: How can I access user info on a domain without the domain administrator enabling API access?
You can start using Admin SDK Directory API. The question you linked to was regarding the case where an admin explicitly disables API access. When they install and an app, we re-enable that setting and let them know.
Not sure about the 403s but that is an older API that is replaced by the Admin SDK.
Related
I'm currently building a web application that works with the Gmail API. I'm waiting for approval from Google's security team to have a proper OAuth connection, but I noticed that users can pre-approve your application by searching within the API Controls settings by your App ID.
This setting is located in the Google Account via: Admin Panel > Security > API Controls > App Access Control.
I noticed that if a user does this before they try to connect your app it doesn't go against your 100 account limit within Google Developer Console while in beta.
My question is, could you have this as permanent solution to get around the Google OAuth application if Google never approves you? Of course, through this method the user is still giving permission, just curious if this has been done by anyone before.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Help
Can an app external to a G-Suite organization manage its SSO settings?
I started by trying to create a client ID/secret for my app as per https://support.google.com/cloud/answer/6158849
A prerequisite for getting a client ID/secret is configuring the app's Consent Screen as per https://support.google.com/cloud/answer/6158849#userconsent
When looking at the "Add Scope" modal, I only see:
Admin SDK ../auth/admin.reports.audit.readonly
Admin SDK ../auth/admin.reports.usage.readonly
How do I get a scope that would allow my app write access to another G-Suite organization's SSO settings?
I am not trying to manage my G-Suite organization's SSO settings.
What you want cannot be achieved essentially because you cannot manage someone else's G-Suite organization's SSO settings. Therefore, no scopes are available for this option.
But if you have access to the domain mentioned, you can use this scope which is the global scope for access to all domain settings.
https://apps-apis.google.com/a/feeds/domain
According to the documentation:
To request access using OAuth 2.0, your application needs the scope information, as well as information that Google supplies when you register your application (such as the client ID and the client secret).
The old admin settings API is still working for SSO settings, just tried. You can manage the SSO settings of any organization that has enabled your project ID with the scope https://apps-apis.google.com/a/feeds/domain/ via a Marketplace install (they install your app) or a manual install as described here
I have been using https://www.google.com/m8/feeds/ to list all users of a domain when the admin installed my web application.
This api has been deprecated for a while and is now disabled. We are advised to use the new directory api.
However, in order to use the directory api, the admin of the domain must have enabled the api access with a checkbox in a deep menu item. It goes without saying that many of them will have the admin api access disabled.
1) On this question Arun Nagarajan said "We are looking into improving this flow" in 2013. Is there any update about this?
2) In another question, jonathanberi seems to say that the admin api is automatically enabled when the user installs the app. But I wasn't able to reproduce this feature, and I can't find any documentation stating this. Is there any (preferably official) documentation that confirms such behaviour?
My team is trying to develop a product for the google apps marketplace and I am having issues with the workflow in the new ADMIN SDK.
With the now deprecated Provisioning API we simply ask for a username and password from the account we are trying to manage.
With the ADMIN SDK it seems as though they would need to go enable the API, create a key and do a lot of manual work for this to happen. This really is a tough option for us as the technical level of our clients is not likely to be able to make this transition.
Is there something like the work flow for the provisioning API where they can enable management from a third party or a recommended workflow for a developer to build an application that can access any number of google apps accounts?
A use case for this is say I want to develop a different option for a console, I want to build a console web app and simply ask for credentials or easy setup routine and allow our users to manage their google apps account in a different way.
Thanks in advance,
Steve
The Admin SDK Directory and Reports APIs work correctly with 2-legged OAuth 1.0a which is what the Google Apps Marketplace currently supports and automates. You do need to turn the Admin SDK on under "Register for additional APIs" from your Vendor Profile page on the marketplace. Also, the Administrative APIs for the domain must be turned on. You'll get a generic error that the domain cannot use the APIs if it's off in which case you can direct the client to the exact CPanel page where they can turn it on.
I would like to have my application http://app.acquee.com/designer to accept a google account as a login. I found a bunch of libs for django but most work on top of existing Django authentication system that I do not use. I have my own set of user tables where I keep user info and privileges.
Any suggestion on how to integrate that with the Google Openid?
Seems I will have to do it manually using python-openid. Or could I use django-openid?
However, with the latter, I don't even know how to issue the discover command.
Regardless, I get stuck on google's step 5, sending a login authentication request (optionally with OAuth parameters) to the provided endpoint address. Can someone provide a sample request? is it a GET/POST? content?
Cheers
You can try https://launchpad.net/django-openid-auth - I'm using it in a commercial project, for both regular Google Accounts and Google Apps accounts. I remember that it was the most convincing one at the time I was doing a review, although I can't give you any details now due to my short memory. Anyway - it's working great.