We are trying to implement a "Login With Google" feature for an internal admin dashboard web app connected to our GSuite account. We want to limit login to this dashboard in two ways.
Only members of our GSuite domain can login to the dashboard
Only users in our domain belonging to a specific group within our domain can login to the dashboard
So far we have been able to accomplish number 1 above but not 2. Using a query param to the oauth2 API we can limit the domain. What we have in mind to accomplish number 2 is after the user within our domain is logged in, get their group information and validate that they are in the proper internal group or log them out. The issue with this is it seems only GSuite admin accounts are allowed to make API calls to the Directory API for this information. Is there no way to get the group information for a user with their own access token or using a service account? Ideally we don't want to have to provide a specific admin user within our GSuite account's personal credentials in our application to get this working. Is there a better way to proceed?
Thank you in advance for any help!
Related
I want to access the entire events existing in a calendar of a gsuite domain. I tried using domain deligation with service account and it allows me to assume a user and get all of its events but i want to fetch the entire events in a gsuite account.
In order to achieve your task, you should create a service account which impersonates the admin of the domain.
Afterwards, you can retrieve the users of the domain by making use of the Admin SDK.
GET https://admin.googleapis.com/admin/directory/v1/users
Based on the list you get, you can get the events from the calendar of each user.
GET https://www.googleapis.com/calendar/v3/calendars/calendarId/events
Where, calendarId is the email of one of the users from the domain.
Reference
Admin SDK users.list;
Calendar API events.list.
Suppose I have an application in which I have enabled (google) Oauth2 authentication but I want only a few business people can log in to my application with there specific email id and rest of the people can't. How Can we achieve this using Oauth2?
1.) Lots of people have a Google account and can authenticate with Google
2.) I want Only some of them should be authorized to use your app, which maybe deals with business assets
I suspect your requirement is:
Lots of people have a Google account and can authenticate with Google
Only some of them should be authorized to use your app, which maybe deals with corporate assets
In this case I would proceed something like this:
STEP 1: PREREQUISITE USER SETUP
Get a list of users and perform an Administrator Approval step to create them in your product database, perhaps with Name and Email fields.
STEP 2: INCLUDE THE EMAIL SCOPE DURING LOGINS
In the Google login redirect, use scope='openid email' so that you can identify the user via email after login. Allow users to successfully authenticate.
STEP 3: AFTER LOGIN PROCESS THE ACCESS TOKEN
You will then get then be able to get the user's email address from the access token (though you may have to send it to the Google User Info endpoint).
STEP 4: DENY ACCESS WHEN REQUIRED
If you can't find the email associated to the token in your product user data, present a Forbidden message to the user.
FURTHER INFO
See my User Data Write Up for further details on technical options. Note that I have not actually tested this with Google, but I have used the general approach with a few different systems.
We are integrating Google Calendar with our room booking system. Users in GSuite domain should login on our reservation screen and book a room. So far I made use of an service account with domain wide delegation to impersonate the users (the setSubject() method, passing the e-mail address of the impersonated user). Everything works, although this way we cannot verify if the user we want to impersonate is logged in successfully or not, the event will be just created with him as the organizer, because setSubject() only requires the email to work properly.
In IBM Domino, when using an Java XPage I was able to compare passwords of the user, not in plain text but there was a function which compared plain text with user's hashed password and returned true if they were equal.
As I see Google doesn't have such a thing if I'm right. How could I check if the user can successfully log in programmatically?
If you want to perform actions in Google Calendar on behalf of a currently logged-in user from a web browser, you might want to use OAuth2 for Web Server Applications instead of using a service account with impersonation.
I am writing a program (written in java) for businesses that manages google drive data of domain users (download/read/...).
I need to authenticate once, using domain admin's credentials, get a token and refresh token, and fetch the data of all domain users.
I succeeded with doing it for the admin user itself, using google's Drive REST API
How can I manage all the domain users with one access token and refresh token?
In Google Apps, the admin does not have the ability to access the user's information directly.
The way to achieve this is through a service account and domain wide delegation.
With this approach, after the admin grants permissions to you app, the app will be able to impersonate users in the domain and perform actions on their behalf. e.g. you can access users Drive information.
I am using google api for user to login. I could make oauth already and I can get access token from user to let them use my service
But I want to display current user groups s/he has membership
I can't use admin sdk because that user is not admin and has no permission to get list of group
Are there any api to get list of groups that user exist? Or are there anyway to have master access token to use admin SDK?
Unfortunately there is no Google Groups API that non-admins can use. However, you can configure your application to use the user's authorization for most requests, but use an admin's authorization for requests to the Admin SDK.