Does the policies scope of the Provisioning API support 2LO?

[mp]

Does the policies scope of the Provisioning API actually support 2LO?  This suggests it does:

http://code.google.com/googleapps/marketplace/manifest.html#supported_scopes

But this section talks about 3LO:

http://code.google.com/googleapps/domain/provisioning_API_v2_developers_guide.html#3LO_Tokens

I also found these two issues:

http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2312

http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2461

[Claudio Cherubino]

Hi,

The policies scope in the Marketplace docs (https://apps-apis.google.com/a/feeds/policies/#readonly) provides 2LO read-only access to the Organization Units and Organization Users feeds.

With 3LO (and the scope https://apps-apis.google.com/a/feeds/policies/) you also get access to the customerId.

Claudio

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Ll-hGQ_0PZIJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

[mp]

Hi Claudio,

I am trying to get read-only access to the Organization Units and Organization Users feeds using *only* 2LO.  However, all of the APIs for these feeds require the customer ID.  Are you saying it is not possible to use only 2LO since 3LO is required to obtain the customer ID?

Thanks.

[Claudio Cherubino]

That's correct, using 2LO only it is not possible to retrieve the customer ID and without it you can't access the OU feeds.

Claudio

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/SzGeiocAunkJ.

[mp]

Can you confirm that the customer ID is constant and never changes for a given domain?

[Claudio Cherubino]

The customer ID is constant for a given Google Apps account, but please note that domains can move from an account into another (e.g. for company acquisitions).

Claudio

On Tue, Feb 21, 2012 at 4:03 PM, mp <mau...@cloudlock.com> wrote:

Can you confirm that the customer ID is constant and never changes for a given domain?

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/axTwY0PrVJkJ.

[mp]

Thanks Claudio.

By the way, it seems like an oversight to require 3LO for an installed Google Apps Marketplace application that has already granted access to its domain.  Don't you think it would make sense to allow 2LO for the critical API that returns the customer ID?

Also, is there any other way to obtain the customer ID without 3LO or ProgrammaticLogin (email + password)?

[Claudio Cherubino]

I agree that this is not the best user experience but unfortunately there's no other way to obtain the customer ID without 3LO or ClientLogin (which is even less recommended).

I'd appreciate if you could add your perspective to the public issue tracker (http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2312) so that we can track all details of this feature request in a single place.

Thanks

Claudio

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Ozu6Quu9WKUJ.

[mp]

OK, I updated issue 2312.

Last question: can you confirm that the multidomain provisioning API still supports 3LO and not 2LO?

Thanks.

[mp]

I noticed your remark on this topic from last July:

http://code.google.com/googleapps/support/domain_info_and_management_forum.html?place=msg%2Fgoogle-apps-mgmt-apis%2F0N7d6dABs5M%2FzyZ0xNTuUwsJ

[Claudio Cherubino]

Yes, that's the correct, the MDM user feed doesn't support 2LO.

Thanks

Claudio

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/ZIKNmNqrF18J.

[mp]

Hi Claudio,

I get a 500 Internal Error when attempting to use 2LO to obtain Organization Units data (when I already have the customer ID).  Can you confirm that these endpoints are working correctly using 2LO?

See comment 10 of Issue 2312 for another person who was seeing this error back in January:

http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2312

Thank you.

[Claudio Cherubino]

Hi,

Organization Units data can be accessed using 2LO, but in order to use the https://apps-apis.google.com/a/feeds/policies/#readonly scope, the app must be installed from the Marketplace.

Is that your case?

Claudio

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Nwab4ciOWzgJ.

[mp]

Yes, I have an app in the marketplace.  It has the scope https://apps-apis.google.com/a/feeds/policies/#readonly in the manifest, and I made sure to approve the permissions on the domain it's installed on.  I also made sure that the keys I'm using are correct.

Using gdata-python-client 2.0.16, I get the 500 Internal Server Error only when using OU APIs.  Other APIs such as the Documents List APIs work fine.

For debugging purposes I also wrote a custom OAuth client (completely separate from gdata-python-client), and it also works well with Documents List endpoints, but gets 500 errors with OU endpoints.

Unfortunately the server doesn't return any more information to explain this error.  Note:  If the error was OAuth-related, it would be a 4xx error.

Finally, in all of these situations I have the customer ID.

[andy]

Hi,

I am also having this exact same problem with 2LO, OU APIs are failing with 500 Internal Server Error.  The app has the correct scope and is installed as a Marketplace application.  Other APIs (user provisioning API readonly, for example) are working correctly from the same application.

Could someone from Google confirm the situation with the OU APIs and 2LO?

Thanks!

[mp]

Claudio, any updates on this?  See my last post above for details.

[Claudio Cherubino]

Hi,

I reported it to the engineers and I'll update this thread as soon as I hear back from them.

Thanks

Claudio

On Mon, Apr 16, 2012 at 7:25 AM, mp <mau...@cloudlock.com> wrote:

Claudio, any updates on this?  See my last post above for details.

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Z1Fqxt-6z9cJ.

[mschlans]

Any update on this?  We're trying to do the same thing, use marketplace keys to pull down a customerid for a Google Apps domain.  Any update would be appreciated.

Thanks,

Mike

On Monday, April 16, 2012 12:25:23 PM UTC-4, Claudio Cherubino wrote:

Hi,

I reported it to the engineers and I'll update this thread as soon as I hear back from them.

Thanks

Claudio

On Mon, Apr 16, 2012 at 7:25 AM, mp <mau...@cloudlock.com> wrote:

Claudio, any updates on this?  See my last post above for details.

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Z1Fqxt-6z9cJ.

To post to this group, send email to google-app...@googlegroups.com.

To unsubscribe from this group, send email to google-apps-mgmt-apis+unsub...@googlegroups.com.