Expected user workflow regarding permissions/scope of installed Marketplace app using Oauth2

[Jon Gartman]

I have an application that I have listed and for which I have specified a single scope. During installation, an administrator is required to grant permissions based on this scope. I have installed my app in my domain and granted permissions according to the scope.

How do I access user data (according to the scope specified in the app manifest) via the Google APIs using oauth2? 

• Because I want to access user data, I believe I can't/shouldn't use a Service Account.
  
• The oauth2 flow seems to require user consent during initial API access. I'd rather avoid this since the user has already consented during installation.
  
• The user-consent-required approach is three-legged oauth2, but I believe what I want is two-legged oauth2, but this post seems to point me back to a Service Account (https://groups.google.com/forum/#!msg/google-oauthplayground/-npgnxAXc5A/qix84zxUAC4J).
  
• I'm using python and the Google library for python seems to only support the three-legged flow or the JWT-based Service Account approach.

Specifically this is the scope to which I'm trying to request access: https://www.googleapis.com/auth/admin.directory.user.readonly

The API I'll be accessing seems to be named admin and the version seems to be: directory_v1

My application does not need/want to act on behalf of a user per se, I just want to access all users on a domain. I'd rather not have to have the domain administrator enable access to the administrative APIs (https://support.google.com/a/answer/60757?hl=en). I feel like I'm seriously misunderstanding how permissions/scopes/grants work and interact with administrator users on a domain.

In the interest of providing as much info as possible, here's what I think I want:

1. Domain administrator installs my app from the Marketplace.
2. Domain administrator grants permissions to my app based on the scope(s) indicated in the app manifest.
3. During installation the domain administrator gets taken to my external configuration page. During this request, my application would access Google APIs according to the declared scope(s) transparently to the user.
4. After external configuration, user completes install.
5. Done.

[Jon Gartman]

This was posted here because the linked support forums have been unavailable the last few days: https://code.google.com/googleapps/support/

[Daniel Florey]

I'm a also very confused how to correctly implement the OpenID/OAuth2 flow.

I am using Google App Engine on the server.

How to integrate GAE UserService (Federated Login via OpenId) with the Google Apps Marketplace?

The documentation seems to be old and outdated and refers to the step2 library which is last updated in 2010.

Can someone post a sample how to build a minimal app using GAE that integrastes into the new Marketplace?

I am using Java.

Thanks a lot!

Daniel  

[narita]

I think this article will be very helpful for you.

https://developers.google.com/drive/delegation

But, It seems we can't create private marketplace app, so I can't confirm it runs correctly.