Google Marketplace应用程序/OAuth2-以编程方式委托域范围内的授权 [英] Google Marketplace App / OAuth2 - Programmatically Delegate Domain-Wide Authorization

问题描述

上下文

我目前正在迁移基于OAuth 1.0/OpenId的应用程序，以使用OAuth 2.0.该应用程序是使用Java内置的Google App Engine应用程序，将在新的应用程序市场2.0中出现.我的基本OAuth 2.0流程对单个用户来说可以正常工作，但是在以下情况下无法为我的服务设置服务帐户.

I'm currently migrating an OAuth 1.0/OpenId based app over to use OAuth 2.0. The app is a Google App Engine app built in Java and will be in the new apps marketplace 2.0. I've got the basic OAuth 2.0 flow working fine for individual users but am having trouble setting up the service account for my scenario below.

问题

我要启用的流程如下:

1. 域管理员从应用程序市场安装应用程序
2. 域管理员授予请求的范围(例如admin SDK，个人资料，电子邮件等)
3. 新域中的用户可以登录，而无需任何提示来获得作用域权限
4. 用户登录时，我的应用程序的服务帐户可以使用admin sdk访问新域的用户详细信息，以检查该用户是否为管理员

为了启用#4，我的理解是需要为我的Apps服务帐户授予新用户域所请求范围的域范围授权.

In order to enable #4, my understanding is that my apps service account needs to be granted domain-wide authorization for the requested scopes for the new users domain.

Google文档显示了如何通过管理控制台手动完成此操作( https://developers. google.com/drive/web/delegation )，但我没有运气找到有关如何以编程方式/自动授予对我的应用程序服务帐户的访问权限的文档.

The Google documentation shows how this is done manually through the admin console (https://developers.google.com/drive/web/delegation) by the domain admin, but I haven't had any luck finding documentation on how to programmatically/automatically grant access to my apps service account.

问题

有人有运气吗?或者，也许还有另一种/更智能的方法来检查用户是否是其域的管理员，而无需使用服务帐户+ admin SDK组合?

Has anyone had any luck with this? Or perhaps is there another/smarter way to check if a user is an admin of their domain without having to use a service account + admin sdk combo?

提前谢谢！

推荐答案

将您的应用标记为DOMAIN_INSTALLABLE，并在该应用所附的API项目中创建服务帐户.管理员用户将从市场上安装它，这将授予域范围的委派您的服务帐户. 在此处查看文档.

Mark your app as DOMAIN_INSTALLABLE and create a service account in the API project attached to that app. Admin users will install it from the marketplace, which will grant domain-wide delegation your service account. See the doc here.

请注意，您还需要模拟用户的电子邮件来模拟，以便访问Admin SDK.您可以要求安装应用程序的人在设置阶段提供正确的电子邮件.您将必须发布一个Web应用程序来执行设置，并在Marketplace SDK配置中为此Web应用程序提供一个URL.

Note that you will also need an admin user's email to impersonate in order to access the Admin SDK. You can ask the person who installs the app to provide a proper email during the setup phase. You will have to publish a web application to perform the setup, and provide a url to this web application in the Marketplace SDK configuration.

这篇关于Google Marketplace应用程序/OAuth2-以编程方式委托域范围内的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！