We're developing an app that will be published in G Suite Marketplace.
I know that both domain owners and regular Google account holders can install the application from there.
However, the customer license resource from the Marketplace API doesn't accept Gmail addresses, rather only domain names.
So my question is: how to know if example#gmail.com did install our application in G Suite Marketplace?
Thank you!
Related
I have a server-side application that needs to access every user's gmail data in a google workspace organization. I want to publish a public listing on the google workspace marketplace that is installable domain-wide by the super admin user and gives the server-side application the permissions to access the gmail data of the user's in that domain.
From my current understanding, we need a service account with impersonation to access each user's data. On top of that the service account needs to be delegated domain-wide authority, so that user's do not need to give individual OAuth consent or their passwords.
When publishing the app using the marketplace SDK I see that there is a field for service account credentials:
I see that the current Marketplace SDK has a field that accepts service account credentials.
But when my app is published and I install it and go to check the app's data access. I can only see fields for the scopes and the Oauth clients.
My questions:
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app? Will the service account's have the same email and unique id for everyone who installs the public listed app?
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
If (1) is true, is it automatically granted access unlike the OAuth clients and scopes?
If (1) is true, Are the service accounts automatically delegated domain-wide on install or do we have to provide the person who installed the marketplace app with the service accounts unique ids so they can manually delegate the scopes domain-wide.
I reviewed some Google public documentations related to Service Account & here’s what I have found that may answer your questions:
Question 1
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app?
Answer
No
Note: The CREDENTIALS tab that you see on the Google Workspace Marketplace SDK page is only an overview of credentials you have created for the GCP Project & NOT necessarily only for that service/API.
Service Accounts are created within a specific GCP Project & that project is where you will enable the Google APIs/Services that your application needs. Google Workspace Marketplace SDK is being described as:
“A toolkit that lets you create and control your app listing on the Google Workspace Marketplace, or for Chat apps, in Google Chat.” (Source)
So, this Google Workspace Marketplace SDK doesn’t necessarily use a Service Account to authenticate & be called in your app. However, when you setup a Service Account for your app, you'll need to create a Google Workspace Marketplace OAuth Client & this OAuth Client is associated to that Service Account. This is needed to support Google Workspace Marketplace domain-wide installation.
Setting up the Google Workspace Marketplace OAuth Client from the GCP console:
Follow-up Question
Will the service account's have the same email and unique id for everyone who installs the public listed app?
Answer
Yes. In theory, it should be.
Question 2
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
Answer
You have to review the official Google documentation for OAuth & Service account.
Based on the official documentation, this is the overview:
Create a service account for your project
Delegate domain-wide access to the service account
Your application prepares to make authorized API calls using the service account's credentials. (This is regardless of how many users install & use your app)
That API call will request an access token from the OAuth 2.0 auth server.
Your application will then be able to use the access token to call Google APIs (which in your case uses Gmail API).
I published an app in Gsuite Marketplace, I would like to know if I can get any record of the installations performed, maybe some user data (like emails or at least the domain).
I've searched in the web and browsed the admin console but I can't find the way.
I found the answer in the marketplace faq, and there's not a direct way through the admin console, but instead all details can be obtained from the Licensing API.
Source: G Suite Marketplace FAQ
We are currently attempting to publish an App on the Google Marketplace (aka Chrome Web Store).
My boss has paid the $5 developer fee using his Gsuite account, and when I log in to publish the app, it keeps requesting the $5 fee to be paid. We are both part of the same GSuite domain (rulerr.com). I'm guessing this means the payment is tied to his account specifically? Is there any way to get this tied to our Gsuite domain?
As a result of the way this works, if I end up publishing using my account can anyone delegated from my domain modify it? If I was to go on vacation/sick leave/move on to another company then noone in my organization would be able to modify the App details?
Would adding a shared mailbox account specifically for marketplace registration alleviate this issue?
Laurie,
You can create a Google Group and use that as the owner of your app.
https://developer.chrome.com/webstore/publish#set-up-group-publishing
Any member of that group will then be able to publish. (when they have paid the 5$ fee)
We migrating our app from the old Marketplace to the new one. And we faced with the problem like described here - Google Apps Marketplace app installation callback
But we have special app architecture, it allows to the same user authorize multiple domains. For example we have user(authorized with google +) admin#tester1.com and he needs to install app for following domains:
tester1.com where admin account is admin#tester1.com
tester2.com where admin account is admin#tester2.com
For tester1.com we can use licensing API and check if app is installed and who installed it. We already have authorized account admin#tester1.com and the same user installed app.
No issues for this scenario.
Next user needs to install app for tester2.com. In process of installation(at the marketplace side) user switching to new account admin#tester2.com and installing app.
When user backs to us, we using licensing API again and check if app is installed and who installed it. At this step app will be installed, but it will be installed by user admin#tester2.com which is currently not connected to our app.
For this scenario, how we can securely recognize that domain tester2.com should be linked to user admin#tester1.com? Any recommendations/advices?
Currently we see only one way - require user to authorize admin account for each domain that he wants to install with our app.
This appears to be a special case, and Google don't have any guidelines around how to handle it. Deciding how to charge for and provision your application is left up to the developer.
I have created an app in the Google Apps Marketplace SDK and now I have the "Test Install Flow" button, which is fine,. however, when I click it, a popup for business account signup appears and asks me to set up a real Google business account. How can I simply test it with the same developer account I have?
Had the same issue. It occurs when you first log in to Google with a non-Google Apps account (like a free Gmail account), after which Google Apps accounts are added (i.e. are logged in).
As Ben Clifford suggests in comments, one needs to be signed in first with a Google Apps account (after logging out completely). As a best practice, use Google Apps accounts in one web browser, and free Gmail account(s) in a different browser - to avoid further issues.
You have to test it with a Google Apps account. Apparently yours is not one of those, so they're asking you to sign up. If you have a different Google account that has Google Apps already, you can add that account to the project in Permissions -> Add Member, and then use "Test Install Flow" while logged in as that other account.