I'm trying to fetch the details of Enterprise related to an Gmail account, is there any default API to fetch the Enterprise details related to Gmail account ?
You can find the enterprise details by logging into play.google.com/work with the account that was used to create it.
Click on Admin Settings to see the Organization name and Organization ID
There's no API which will give you the details of the Enterprise because all the API requests in Android Management API have the enterpriseId as the parent key.
Related
I have a server-side application that needs to access every user's gmail data in a google workspace organization. I want to publish a public listing on the google workspace marketplace that is installable domain-wide by the super admin user and gives the server-side application the permissions to access the gmail data of the user's in that domain.
From my current understanding, we need a service account with impersonation to access each user's data. On top of that the service account needs to be delegated domain-wide authority, so that user's do not need to give individual OAuth consent or their passwords.
When publishing the app using the marketplace SDK I see that there is a field for service account credentials:
I see that the current Marketplace SDK has a field that accepts service account credentials.
But when my app is published and I install it and go to check the app's data access. I can only see fields for the scopes and the Oauth clients.
My questions:
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app? Will the service account's have the same email and unique id for everyone who installs the public listed app?
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
If (1) is true, is it automatically granted access unlike the OAuth clients and scopes?
If (1) is true, Are the service accounts automatically delegated domain-wide on install or do we have to provide the person who installed the marketplace app with the service accounts unique ids so they can manually delegate the scopes domain-wide.
I reviewed some Google public documentations related to Service Account & here’s what I have found that may answer your questions:
Question 1
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app?
Answer
No
Note: The CREDENTIALS tab that you see on the Google Workspace Marketplace SDK page is only an overview of credentials you have created for the GCP Project & NOT necessarily only for that service/API.
Service Accounts are created within a specific GCP Project & that project is where you will enable the Google APIs/Services that your application needs. Google Workspace Marketplace SDK is being described as:
“A toolkit that lets you create and control your app listing on the Google Workspace Marketplace, or for Chat apps, in Google Chat.” (Source)
So, this Google Workspace Marketplace SDK doesn’t necessarily use a Service Account to authenticate & be called in your app. However, when you setup a Service Account for your app, you'll need to create a Google Workspace Marketplace OAuth Client & this OAuth Client is associated to that Service Account. This is needed to support Google Workspace Marketplace domain-wide installation.
Setting up the Google Workspace Marketplace OAuth Client from the GCP console:
Follow-up Question
Will the service account's have the same email and unique id for everyone who installs the public listed app?
Answer
Yes. In theory, it should be.
Question 2
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
Answer
You have to review the official Google documentation for OAuth & Service account.
Based on the official documentation, this is the overview:
Create a service account for your project
Delegate domain-wide access to the service account
Your application prepares to make authorized API calls using the service account's credentials. (This is regardless of how many users install & use your app)
That API call will request an access token from the OAuth 2.0 auth server.
Your application will then be able to use the access token to call Google APIs (which in your case uses Gmail API).
I created a new Service Account in Cloud Project, and want to restrict this account's permission to only use one specific Google API listed here.
Lets say my application using this service account should only be allowed to use "Google Analytics API". If possible, further limited to use subset of API requests (for ex. analytics.management.customMetrics.list, analytics.management.filters.insert etc.
I tried to create custom Role, but when I try to add necessary Permission, I don't see me desired permissions listed in that list... (attach screenshot)
How can I restrict this Service Account permissions to specific APIs?
Also,
does it make any difference creating new project in
https://console.developers.google.com/ or in
https://console.cloud.google.com/ ? I san see a project in both places
anyways...
In your case because you are using the Google Analytics API, there is an additional step where you need to add the Service Account to your Google Analytics account. If the Service Account is not added then it won't have access to the resources inside of Google Analytics.
See "1. Enable the API" in the following link:
https://developers.google.com/analytics/devguides/reporting/core/v4/quickstart/service-py
Add service account to the Google Analytics account
The newly created
service account will have an email address that looks similar to:
quickstart#PROJECT-ID.iam.gserviceaccount.com
Use this email address
to add a user to the Google analytics view you want to access via the
API. For this tutorial only Read & Analyze permissions are needed.
See the following for some guidance on managing users in Google Analytics
https://support.google.com/analytics/answer/1009702
How can I programmatically retrieve information about an OAuth client given its appId (xxxx.apps.googleusercontent.com). I am interested in retrieving Google API scopes the app is requesting (e.g.: https://www.googleapis.com/auth/userinfo.email) along with marketplace ratings and user coun t (if applicable).
Screenshot
I believe you can only access those stats if you own the app/add-on. Assuming that you're working on a GSute add-on, if you deploy the app via GSuite Marketplace you'll have to explicitly specify the scopes your app requires and you can check those scopes from your Google Console. I believe that there is also a dashboard available to the app developer (probable from Google Console) with analytic data related to performance.
We are currently using Azure Access Control Services (***.accesscontrol.windows.net) to allow customers with personally-managed Microsoft Accounts (Identity Provider) to sign in to our customer self-service portals (Relying Party Applications), which are Angular apps powered by Web API services. In our Access Control Services we are currently passing through the nameidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim from Windows Live ID to the relying party APIs, which match that token to an identity in our applications.
We are looking to support both Enterprise and Personal Microsoft Accounts with the Azure AD v2.0 service, but do not understand how to migrate our existing users to the new system. The code examples suggest that the OWIN middleware returns the NameIdentifier claim from the user's Identity Provider, but if that Identity Provider is the same Microsoft Account (aka Windows Live ID), will that be the same NameIdentifier we are currently receiving via Access Control Services pass-through?
Any help and/or documentation that clarifies how this transition is intended to work would be appreciated.
If the nameidentifier coming out of ACS is the randomly generated value then you're kind of stuck because that value is unique to the ACS/RP/User. If it's returning the actual Live ID then it'll obviously only match if the Azure AD user has the same email address.
I don't know if any documentation out there that describes how to handle this situation. My recommendation is to just require a one-time authentication from each source within the same session and marry the two results. That would basically mean
authenticate to Azure AD
Your app: Hey you don't have any user details, do you want to associate a Live ID?
Authenticate Live ID
Associate Live ID with Azure AD
Then if they want to sign in with either accounts in the future you have a link between the two.
Whether OutlookSDK at dev.outlook.com could access Office365 user data (calendars, contacts, mail)?
How's about Microsoft Graph API, could them be able access live.com users? (calendars, contacts, tasks, mail)?
I'm curious at this point, want to know what SDK is best for accessing both live.com user data and Office365 user data.
I already try Microsoft Graph API iOS SDK to authenticate Live Id user, but couldn't success, only able to authenticate Office365 user
OutlookSDK as well, unable to authenticate Office365 user, only able to authenticate Live ID
Thanks.
Carefully take a look at the instructions here: https://dev.outlook.com/RestGettingStarted/Overview
To write an app against both Office 365 and outlook.com you will need to register your application in the new application registration portal here: https://apps.dev.microsoft.com/Disambiguation?ru=https%3a%2f%2fapps.dev.microsoft.com%2f
Additionally you will need to make sure that your Outlook.com account has been upgraded to the new service. If it has not, then you will need to follow the instructions to request an account in the preview service from: outlookdev#microsoft.com or create a new account which should automatically be provisioned in the new service.
Yes - You can use Outlook APIs to access mail, calendars, and contacts for Office 365 users and Outlook.com
Also, You can use the Microsoft Graph API to access fixed entities like users, groups, mail, messages, calendars, tasks, and notes coming from services like Outlook, OneDrive, Azure Active Directory, Planner, OneNote and others.
I suggest using O365 APIs to do Live id user authentication - https://msdn.microsoft.com/en-us/office/office365/api/
Check this link as well: http://dev.office.com/getting-started/office365apis