Know if a user is a Google Apps administrator

[woloski]

It seems the only way to know if a user is a Google Apps administrator is by using the Provisioning API

https://developers.google.com/google-apps/provisioning/#retrieving_user_accounts

Asking a user to enable the Provisioning API and allow access to everything seems a bit too much just to get read-only information about him/her. Ideally, this information should come as part of the user profile, together with the groups he belongs to.

Is there another way to get the information? I want just read-only access. Another option would be to use Service Accounts through Google API Console so that the end user doesn't have to give consent to access such APIs and it's a one-time thing. Is that possible?

Thanks,

Matias

[Jay Lee]

Hi woloski,

  You can create delegated administrator accounts that only have rights to perform read operations against users using the Provisioning API. See below.

http://support.google.com/a/bin/answer.py?hl=en&answer=2406043

Jay

[woloski]

Thanks Jay. That still puts the burden on the administrator though. In my scenario I sell an application that integrates with Google Apps. I want the admin to do the least amount of things to be up and running quickly. If I ask him/her to create a special role and assign all its users to that role just because I want to get the groups each user belong to it sounds to me very intrusive. Instead if I could say "Give permission to this app XXX to the following scopes YYY" like you can do today through the control panel, that sounds like a better way to give permissions. 

I managed to do it using OAuth 1.0a 2-legged auth but could not do it with Service Accounts and OAuth2. Seems like the Google Api console does not support the provisioning API yet.

I am wondering, if OAuth 1.0a is deprecated my app won't work anymore and I have to move to OAuth2. Someone from Google knows when this will happen? When will OAuth 1.0a be retired?

Thanks

Matias

[PeterB]

The Provisioning API Scopes are fully supported by oAuth 2.0. Since oAuth 1.0 is on its way out, I'd advise to migrate as soon as you can

[Jay Lee]

@PeterB: OAuth2 doesn't support 2-legged yet which is why he needs to use 1.0a

@Matias: You'd need to speak to Google as to when 2-legged OAuth 1.0a will be deprecated but being that it's the only solution available for their marketplace apps today, I can't see them deprecating it very quickly.

Jay

[woloski]

Thanks Jay. I was hoping to get an answer from Google but nobody replied yet. Anyone?

[Chaskiel Grundman]

OAuth 2 does have an equivalent to 2-legged, 'Service Accounts'

I have successfully used an oauth service account with some apis (notably email settings, email migration, and gmail imap) but I have not gotten it to work with the read-only provisioning api (the scope with #readonly in it is rejected by the token endpoint).

Some python test code can be found here. some fields need to be filled in at the top, and the service account's private key must be in the working directory when you run the script.
The client ID in the code is the service account's 'email address', with an @, but the thing the domain admin puts in their control panel is the client id without @'s

[woloski]

Yes, I am aware of the Service Accounts and that's what I tried first. I wasn't able to make it work with the provisioning API readonly endpoint. Are you saying that it works with the non-readonly endpoint?

Thanks

Matias

[Chaskiel Grundman]

No, because the non-readonly scope does not allow for 2-legged use. I was mostly replying to Jay, who said oauth2 didn't have an equivalent to 2-legged. I suspect the 'invalid scope' error is a bug, but who knows.