OAuth 2.0 and Provisioning API

[Edwin Lukaweski]

Hi:

    Is OAuth 2.0 authorization available with the Provisioning API?   Or, are we limited to the OAuth 1 version (other than AuthSub and client login).

Thanks, Edwin

[Claudio Cherubino]

Hi Edwin,

The Provisioning API supports OAuth 2.0.

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/yqBRpgXO_GMJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

[Edwin Lukaweski]

OK....thanks for the quick response.

Where would I find the value for the "scope" url, for Provisioning, required for oauth 2.0?

Cannot find any reference, in the Provisioning API, to how to use oauth 2.0 with Provisioning API

Thanks, Edwin

On Thursday, 17 May 2012 13:36:13 UTC-4, Claudio Cherubino wrote:

Hi Edwin,

The Provisioning API supports OAuth 2.0.

Thanks

Claudio

On Thu, May 17, 2012 at 10:33 AM, Edwin Lukaweski <eluka...@gmail.com> wrote:

Hi:

    Is OAuth 2.0 authorization available with the Provisioning API?   Or, are we limited to the OAuth 1 version (other than AuthSub and client login).

Thanks, Edwin

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/yqBRpgXO_GMJ.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

[Claudio Cherubino]

Hi Edwin,

The scopes are the same as those used for 3-legged OAuth 1.0, the docs haven't been updated to include OAuth 2.0 samples yet.

Claudio

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/gjSGPSF_fCgJ.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.

[bobpuffer]

So... in order to programmatically provision user accounts using 2-legged OAuth 2.0 would the xoauth_requestor_id be the email of an admin capable of creating new accounts?  I'm getting invalid header returns.

[Claudio Cherubino]

Hi Bob,

OAuth 2.0 doesn't support the 2-legged flow.

If you use 2-legged OAuth 1.0 with the Provisioning API you don't have to specify the xoauth_requestor_id parameter.

Claudio

On Fri, May 25, 2012 at 8:24 PM, bobpuffer <puff...@luther.edu> wrote:

So... in order to programmatically provision user accounts using 2-legged OAuth 2.0 would the xoauth_requestor_id be the email of an admin capable of creating new accounts?  I'm getting invalid header returns.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/uBM2KVOuStkJ.

[bobpuffer]

Is it just that OAuth 2.0 doesn't support 2-legged for the
provisioning? I'm using OAuth 2.0 2-legged all over the place except
the provisioning.
Thanks

[Sandip Shah]

Hi Bob,

OAuth 2.0 does not support 2-legged anywhere afaik.

Which APIs are you using it with?

Sandip

On Saturday, May 26, 2012 7:30:30 AM UTC-7, bobpuffer wrote:

Is it just that OAuth 2.0 doesn't support 2-legged for the
provisioning?  I'm using OAuth 2.0 2-legged all over the place except
the provisioning.
Thanks

On May 25, 7:25 pm, Claudio Cherubino <ccherub...@google.com> wrote:
> Hi Bob,
>
> OAuth 2.0 doesn't support the 2-legged flow.
> If you use 2-legged OAuth 1.0 with the Provisioning API you don't have to
> specify the xoauth_requestor_id parameter.
>
> Claudio
>
>
>
>
>
>
>
> On Fri, May 25, 2012 at 8:24 PM, bobpuffer <puffr...@luther.edu> wrote:
> > So... in order to programmatically provision user accounts using 2-legged
> > OAuth 2.0 would the xoauth_requestor_id be the email of an admin capable of
> > creating new accounts?  I'm getting invalid header returns.
>
> >  --
> > You received this message because you are subscribed to the Google Groups
> > "Google Apps Domain Information and Management APIs" group.
> > To view this discussion on the web visit
> >https://groups.google.com/d/msg/google-apps-mgmt-apis/-/uBM2KVOuStkJ.
>
> > To post to this group, send email to

> > google-apps-mgmt-apis@googlegroups.com.

> > To unsubscribe from this group, send email to

> > google-apps-mgmt-apis+unsub...@googlegroups.com.

[Sandip Shah]

Correction - it does not support the Google Apps APIs.

Sandip

[bobpuffer]

ACL lists on all of the documents apis (Sites, Spreadsheets, Docs,
Calendars). Docs listing. Almost anything including querying and
updating cells in spreadsheets. Some spreadsheet functions fail
because the redirect goes to a location that only accepts Clientlogin.
I'm pretty confused between my experience and your statements. Most
of all I'd be interested in knowing the near and distant future of
being able to support 2-legged OAuth because its critical and if its
going away, we have to align ourselves with a service that can meet
our repository needs using administrative control without user
intervention.
Bob

> >> > > google-app...@googlegroups.com.

> >> > > To unsubscribe from this group, send email to

> >> > > google-apps-mgmt...@googlegroups.com.

> >> > > google-app...@googlegroups.com.

> >> > > To unsubscribe from this group, send email to

> >> > > google-apps-mgmt...@googlegroups.com.

> >> > > google-app...@googlegroups.com.

> >> > > To unsubscribe from this group, send email to

> >> > > google-apps-mgmt...@googlegroups.com.

> >> > > google-app...@googlegroups.com.

> >> > > To unsubscribe from this group, send email to

> >> > > google-apps-mgmt...@googlegroups.com.

[Sandip Shah]

Bob,

I have been monitoring the forums closely, and no one can get even a the Calendar API to work with Service Accounts (2LO in OAuth 2.0 world).

Do you mind posting some sample code?

Thanks,

Sandip

[bobpuffer]

You're right, I was in error on the calendar, but am definitely using
to query and change spreadsheet cell data, create entire sheets in a
workbook and also Docs listings, creating collections, uploading
documents (with resumable upload). The most important thing to me is
what is the future of 2LO for administratively managing such
requirements?
Bob

[bobpuffer]

I have also found this piece of valuable documentation that, if
accurate does suggest calendar data is available via 2LO (tho I guess
I've never been able to get it to work).
https://developers.google.com/google-apps/marketplace/manifest#supported_scopes

[Patricia N Goldweic]

I've also worked with 2-legged Outh for docs, calendar and sites content, but this was using OAuth 1.0 (not 2.0). In terms of (write) provisioning access, I thought that the only thing available from Google (that supports Google Apps accounts) has been 3-legged OAuth 1.0. Is this assumption still valid? Can somebody from Google clarify?
Ideally, there would be 2-legged support for write provisioning access, but if there isn't yet, please explain whether 3-legged OAuth 1.0 or OAuth 2.0 should be used instead for this purpose. Thanks in advance,
-Patricia

[Sandip Shah]

Patricia,

OAuth 1.0 supported both 3-legged and 2-legged methods for read/write access (for most APIs).

OAuth 2.0 so far supports 'Desktop Application' and 'Web Server' "flows", again for read/write access, again for most APIs.

The "Service Accounts" is the equivalent of the 2-legged mechanism and it is just being rolled out across different APIs.  I have not seen an official page announcing when these will be live on each API, but maybe someone in Google can throw some light on that.

Sandip

[Patricia N Goldweic]

So, could somebody please confirm (or otherwise) the following statements?

 

- If my app  requires write access to the provisioning API, I should be able to use not only 3-legged OAuth 1.0 (which is currently deprecated), but also  OAuth 2.0 to implement this. Presumably, I can use one of the existing java client libraries to do this. (a sample of such use that involved the provisioning api in particular –coupled with OAuth 2.0-  would be great to see).

 

- 2-legged access is not yet available for the provisioning API. If it *ever* becomes available with OAuth 2.0, I would find it under the ‘service accounts’ documentation for the provisioning api.

 

Thanks in advance,

-Patricia

[Claudio Cherubino]

Hi Patricia,

Answers inline:

On Thu, May 31, 2012 at 1:06 PM, Patricia N Goldweic <pgol...@northwestern.edu> wrote:

So, could somebody please confirm (or otherwise) the following statements?

 

- If my app  requires write access to the provisioning API, I should be able to use not only 3-legged OAuth 1.0 (which is currently deprecated), but also  OAuth 2.0 to implement this. Presumably, I can use one of the existing java client libraries to do this. (a sample of such use that involved the provisioning api in particular –coupled with OAuth 2.0-  would be great to see).

Yes, you can use either 3-legged OAuth 1.0 or OAuth 2.0 to get write access to the Provisioning API.

 

- 2-legged access is not yet available for the provisioning API. If it *ever* becomes available with OAuth 2.0, I would find it under the ‘service accounts’ documentation for the provisioning api.

The Provisioning API supports 2-legged OAuth 1.0 in a readonly mode. 

I don't know if OAuth 2.0 will support the 2-legged flow but we'll make sure everyone knows where to find the docs in case that happens ;)

[Sandip Shah]

Claudio,

"I don't know if OAuth 2.0 will support the 2-legged flow but we'll make sure everyone knows where to find the docs in case that happens ;)"

This is for provisioning API only, correct?  'cause the 'Service Accounts' are working for other APIs.

Sandip

[Patricia N Goldweic]

Thanks again Claudio for your helpful answers,

-Patricia

[Claudio Cherubino]

Yes, I'm referring to the Provisioning API.

Claudio

[Suttiwat Youngklai]

Hi Craudio:

In case I need to develop password synchronization tool  with SSO (SAML),  once user authenticate with customer's LDAP success,  this tool will perform password-sync (via Provisioning API) to Google.  For this case,   the tool that I developed this time using  ClientLogin interface to use Provisioning API.

But as I know ClientLogin will be deprecated soon?     What would you recommend? 

This tool is background process, it's invoked after user success authentication in SSO-SAML (Shibboleth Framework).   So I'm doubt if I use OAuth 2.0 for this case,  what will it look like?   It's something like Administrative Tool.

Please share.  Thanks.

Best Regards,
Suttiwat

Claudio

Hi Patricia,

Answers inline:

Sandip

> > > > >> > > google-apps-mgmt-apis@googlegroups.com.

> > > > >> > > To unsubscribe from this group, send email to

> > > > >> > > google-apps-mgmt-apis+unsub...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis@googlegroups.com.

> > > > >> > > To unsubscribe from this group, send email to

> > > > >> > > google-apps-mgmt-apis+unsub...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis@googlegroups.com.

> > > > >> > > To unsubscribe from this group, send email to

> > > > >> > > google-apps-mgmt-apis+unsub...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis@googlegroups.com.

> > > > >> > > To unsubscribe from this group, send email to

> > > > >> > > google-apps-mgmt-apis+unsub...@googlegroups.com.

> > > > >> > > For more options, visit this group at
> > > > >> > >http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
>
> > > --
> > > You received this message because you are subscribed to the Google
> > > Groups "Google Apps Domain Information and Management APIs" group.
> > > To post to this group, send email to

> > > google-apps-mgmt-apis@googlegroups.com.

> > > To unsubscribe from this group, send email to

> > > google-apps-mgmt-apis+unsub...@googlegroups.com.

> > > For more options, visit this group at
> > >http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.

[Claudio Cherubino]

Hi Suttiwat,

We announced the deprecation of ClientLogin but it will still be supported for years:

https://developers.google.com/accounts/terms

Our recommendation for the authorization mechanism is OAuth 2.0.

Perhaps the flow for installed applications is what you should adapt, as it only requires human interaction the first time you run the script:

https://developers.google.com/accounts/docs/OAuth2InstalledApp

Claudio

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/eLBi6yQAXasJ.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.

[Suttiwat Youngklai]

Hi Craudio:

Thanks, I'm studying on OAuth 2.0.    And refer to https://developers.google.com/accounts/docs/OAuth2WebServer

Let see in "expires_in" parameter of accessToken.  This is in unit of second right? From the sample, it's 3920.
So for three-legged OAuth 2.0,  we still need to refresh access Token every hour.  Is this correct?

Thanks.

Best Regards,
Suttiwat

Claudio

Hi Patricia,

Answers inline:

Sandip

> > > > >> > > google-apps-mgmt-apis+unsubscri...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis+unsubscri...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis+unsubscri...@googlegroups.com.

> > > > >> > > google-apps-mgmt-apis+unsubscri...@googlegroups.com.

> > > > >> > > For more options, visit this group at
> > > > >> > >http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
>
> > > --
> > > You received this message because you are subscribed to the Google
> > > Groups "Google Apps Domain Information and Management APIs" group.
> > > To post to this group, send email to
> > > google-apps-mgmt-apis@googlegroups.com.
> > > To unsubscribe from this group, send email to

> > > google-apps-mgmt-apis+unsubscri...@googlegroups.com.

> > > For more options, visit this group at
> > >http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscri...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/eLBi6yQAXasJ.

To post to this group, send email to google-apps-mgmt-apis@googlegroups.com.

[Claudio Cherubino]

Yes, you have to use the refresh token to request a new access token every hour.

If you use one of our client libraries, they will automatically refresh tokens for you.

Claudio

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/EDvDBmkWTEcJ.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.