Provisioning and users sync

48 views
Skip to first unread message

Abhay

unread,
Dec 9, 2011, 7:05:16 AM12/9/11
to google-app...@googlegroups.com
Hi,

I am new to using Google Apps APIs and wish to implement provisioing between Google Apps domain and my web application with JAVA.

My thinking is that when a Google app domain admin signups for my app and chooses to use his/her Google Apps domain with my app, a user sync will take place. Everytime a user is created/edited/deleted, it must happen at both ends.

I am clear with how this can be done from my app to Google Apps domain, but have not understood how this can be achieved the other way.
Also, I have some queries:
  1. Authentication. Which is the best way (if in future i have to opt for OpenID SSO)?
  2. Do i have to repeatedly ask for GApps Domain admin credentials if i am not using OAuth, for each operation?

Thanks in advance.

Gunjan Sharma

unread,
Dec 9, 2011, 10:10:44 AM12/9/11
to google-app...@googlegroups.com
Hello Abhay

Currently there is no way that you can make the Google servers poll you back when there is a creation/edition/deletion of a user. So only thing you can do is to check in timely fashion to see if any action was taken.

Other query's answer:
1. The best way is to authenticate is using OAuth.
2. No you don't need to ask for credentials for each operation. Once you get a auth token you can use it for multiple operations. It will be required only if you rerun the script.

Thanks
Gunjan Sharma |  Developer Programs Engineer | gunjan...@google.com |  +91 7702534446



--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/HxnOKCcosvoJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

Jorge Luis Mendez

unread,
Dec 9, 2011, 3:52:49 PM12/9/11
to google-app...@googlegroups.com
Hello Gunjan,


Other query's answer:
1. The best way is to authenticate is using OAuth.


OAuth or OAuth 2.0 is the recommend method to authenticate for the Provisioning API? 

Jorge Luis Mendez

unread,
Dec 9, 2011, 3:58:41 PM12/9/11
to Google Apps Domain Information and Management APIs
Hello Gunjan,

>Currently there is no way that you can make the Google servers poll you
>back when there is a creation/edition/deletion of a user. So only thing you
>can do is to check in timely fashion to see if any action was taken.

Are there plan to provide this functionality? or are there plans to
provide an API to retrieve the changes after a given date?

Thanks,
Jorge Luis

Gunjan Sharma

unread,
Dec 9, 2011, 4:29:39 PM12/9/11
to google-app...@googlegroups.com
Hello Jorge

OAuth 1.0 is stable and fully functional.
where as OAuth 2.0 is easier to use but not stable yet.
Its upto you now what you want to use.

The polling by Google server issue has been a very much wanted feature. We already have this feature request in our issue tracker. You can star this issue and you will notified about what ever changes are made.

Thanks
Gunjan Sharma |  Developer Programs Engineer | gunjan...@google.com |  +91 7702534446



On Fri, Dec 9, 2011 at 3:58 PM, Jorge Luis Mendez <jo...@iteridea.com> wrote:
Hello Gunjan,

>Currently there is no way that you can make the Google servers poll you
>back when there is a creation/edition/deletion of a user. So only thing you
>can do is to check in timely fashion to see if any action was taken.

Are there plan to provide this functionality? or are there plans to
provide an API to retrieve the changes after a given date?

Thanks,
Jorge Luis

On Dec 9, 3:52 pm, Jorge Luis Mendez <jo...@iteridea.com> wrote:
> Hello Gunjan,
>
> Other query's answer:> 1. The best way is to authenticate is using OAuth.
>
> OAuth or OAuth 2.0 is the recommend method to authenticate for the
> Provisioning API?

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

Abhay

unread,
Dec 14, 2011, 9:14:40 AM12/14/11
to Google Apps Domain Information and Management APIs
Thanks Gunjan.

That really helped me clear my vision for the implementation.

On Dec 10, 2:29 am, Gunjan Sharma <gunjansha...@google.com> wrote:
> Hello Jorge
>
> OAuth 1.0 is stable and fully functional.
> where as OAuth 2.0 is easier to use but not stable yet.
> Its upto you now what you want to use.
>
> The polling by Google server issue has been a very much wanted feature. We
> already have this feature request in our issue tracker. You can star this

> issue<http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?i...>and


> you will notified about what ever changes are made.
>
> Thanks

> Gunjan Sharma |  Developer Programs Engineer | gunjansha...@google.com |  +91

Abhay

unread,
Dec 16, 2011, 1:10:52 PM12/16/11
to Google Apps Domain Information and Management APIs
Hi,

Can anyone elaborate the difference between 2-legged and 3-legged
OAuth in terms of
1. If provisioning API supports both of them?
2. A non-(Google Apps Admin) user of a domain, if grants my
application (which uses 3-legged OAuth), can create users in their
domain?
I mean, only Admin can create users and in 3-legged OAuth, the
user granting access, may not be the Admin. So in a way, how does 3-
legged OAuth handle this different to 2-legged?

Also, my app allows Google SSO with OpenID. So can the access tokens
generated and stored securely earlier, can be used in this Auth
scheme?

Thanks in advance.

Shraddha Gupta

unread,
Dec 18, 2011, 3:28:33 PM12/18/11
to google-app...@googlegroups.com
Hello Abhay,

The Provisioning API supports both 2LO and 3LO authentication.

In 3-legged OAuth the Admin needs to grant access to the application to allow application to create users in the domain.
Non-admin cannot grant access.

This is different from 2LO because 2LO would allow the application to authenticate itself as the admin.

You can use the stored access token that was obtained in exchange of permission granted by the domain admin.

Thanks,
Shraddha Gupta
Developer Programs Engineer
Hyderabad, Google India.
Reply all
Reply to author
Forward
0 new messages