15

Background

Our corporate users have a Google Apps account. We would like to allow them (and only them) to log in to an extranet using the Google account. Ideally we would also like to manage permissions through the Google domain management UI. One thought is to create groups and associate group membership with extranet permissions.

Research

Google Apps supports login using OAuth 2.0 and also supports provisioning via API, which would allow us to test if a user is a member of a group. The Provisioning API presumably requires administrator credentials.

Question

Is it possible to programatically determine whether a Google Apps user is a member of a group without requiring domain administrator credentials?

Is there a better way to accomplish this goal?

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
Eric J.
  • 147,927
  • 63
  • 340
  • 553

1 Answers1

7

The API call to check group membership does require at least a delegated admin with rights to read groups via the API. If you utilize the new Google Admin SDK membership API call, you can also limit the scope to readonly:

https://www.googleapis.com/auth/admin.directory.group.readonly

The Admin SDK utilizes OAuth 2.0 which does not require the delegated admin's username/password, only the OAuth token.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • 2
    do you know if this scope is available to service accounts? I've successfully used it with an OAuth callback using a normal account, but not yet with a service account/private key. I'm having trouble setting up the permissions. – Eric Walker Nov 13 '13 at 03:56
  • 4
    This is such an important question/answer, it really needs more clarity to ensure we Just Get Things Right(tm). @jaylee, please can you clarify: when making the API call to check the group membership (Members: get) while using a service account's credentials, which admin account should we be impersonating? Should there be a dedicated admin account for this purpose? – Andrew Mar 02 '15 at 13:00
  • 2
    You can use a service account, which has been authorized for this scope. Check out the following guide from Google: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority – Paul May 11 '16 at 14:52
  • 3
    Some concrete code examples would be extremely helpful. I've been struggling trying to implement this exact feature for days. – Mario Feb 02 '19 at 19:42