I am using a service account and domain wide delegation described here and I am able to get all emails from all email accounts on that specific domain. The scope that I am using is
https://mail.google.com/
Is there any way that I can exclude some email accounts (for example admin email accounts) from the whole domain? Is there a different procedure in order to achieve this?
To further clarify what I mean here is an example of what I want to do:
the service account will be able to access example_a#domain.com , example_b#domain.com but not admin#domain.com
Thanks!
It's not possible to remove access to some accounts when doing domain-wide authorization with service accounts. It's all or nothing. If your security requirements forbid direct access to some portion of domain accounts you'll need to use regular OAuth 2.0 authentication, not a service account.
Related
I am working on a Google Drive Migration project for migration of Google Drive Files to different destinations.
How do I access a user's Google Drive files of a different (i.e. customer's) Google Workspace.
I read about 2-legged OAuth and 3-legged OAuth
https://support.google.com/a/answer/2538798?hl=en
It says "Traditionally with Google, 2-legged OAuth is for administrator-managed applications, in that an administrator grants access to an application to access data for the Google service for ALL users in their domain. Common data requested for access include: Groups Provisioning, User Provisioning, Calendar, and Contacts."
Can I use 2-legged OAuth approach and ask Admin to sign-in and grant permissions to access Google Drive Files and Folders for ALL users in the domain.
If yes, how do I impersonate or access a particular user's Google Drive files using Drive APIs such as:
https://www.googleapis.com/drive/v3/files/root
or
https://www.googleapis.com/drive/v3/files?q={fileid}+in+parents
Thanks
Even Super Admins of a domain cannot access all users' files by themselves, so you can't just have an administrator log in to your app via OAuth to gain access to the entire domain. The article that you linked says that the 2LO approach has been deprecated and you cannot use it this way anymore:
Important: OAuth 1.0 2LO was entirely deprecated on October 20, 2016. The easiest way to migrate to the new standard is to use OAuth 2.0 service accounts with domain-wide delegation.
Instead, you need a Service Account that has been granted domain-wide delegation on your target domain. Here's an overview of how it works:
Create the GCP project that your migration app will use.
Enable the APIs that you will use. It should be at the very least the Drive API since that's what you're looking for.
Configure the OAuth consent screen of your project with the proper scopes and publish it.
Create a service account and setup its credentials.
Once your app is published, you can get the ID of the service account that you created and ask the other domain's admin to grant domain-wide delegation to it. This means that the other admin will add your service account's ID to their list, along with the allowed scopes.
Once the other admin has granted domain-wide delegation to your service account you can call your authorized APIs and impersonate their users. The exact syntax depends on your language but here are some examples.
Essentially, you need to gather a list of the users, then impersonate them one by one with your service account. With each impersonation you are acting as if you were the user so you can just call the Drive APIs normally to list the user's files and migrate them as needed. Without knowing your language of choice I cannot provide a specific example but I hope this gives you a general idea of how it works.
References:
Domain-wide delegation
API access with service accounts
Is there a way for me to bypass the need to use OAuth for me to send out emails using the G-Suite platform in my application
I am still able to send out using the Microsoft 365 platform but some of my clients will not move to 365 and prefer G-Suite
You can use a service account. You will need to have the admin of the domain configure domain wide delegation to an account on the domain.
Once delegation is configured you can then use your code to impersonate a user on the domain and send emails on their behalf. This is what i normally do with sa a system designed for sending email conversation mails. When a user creates a new account the system could send an email conformation email. On behalf of say noreply#yourdomain.com
Your issue is going to be with the fact that your clients are the ones who own the domain so your going to have to get the google workspace admin for your client to set this up for you.
The other option would be to use standard oauth2 and authorize a user on the domain and send emails on their behalf.
The issue with that is going to be your application will need to be verified with one of the highest protected scopes. Your app will need to go though a security audit before it is verified. Last I checked that audit will cost you $15k-75k
I wish to set up a login system where I would be making multiple independent web(rails, Django, node, php, etc.) and android application to be used by students of my institute and all of these applications should use only one account with one username and password. I searched for state-of-the-art methods for doing this and found out about OpenID, OpenID Connect and OAuth2.0. I do understand the difference between them, however, what I am confused about is which to use here.
The system should be something similar to what Google has implemented. Google has https://accounts.google.com where you can manage your account, password, profile, etc. Similarly, there should be a website where the users sign up and create their account (let it be accounts.xyz.com). When you open an application, you should enter your username and password which you set up on accounts.xyz.com and this gives the application access to some(or all) user data.
Alternatively, there can a simple Sign in with accounts.xyz.com button on each application which does the same work as the username and password login.
Which of the two methods is better, what is to be used to implement it, and how to implement it? Is there a simpler way of doing it so that I can make sure only students of my institute have access to the application?
OpenID is deprecated in lieu of OpenID Connect.
OAuth 2.0 is for delegation to an Application for accessing of APIs. So, use OpenID Connect.
To sign in with accounts.xyz.com would require you to implement your own OpenID Connect Provider or some alternative Authentication method.
I am building a web application for a client and logging in with Office 365 is a requirement for the client. I am having a difficult time deciphering what exactly I need to do to make it so that only users with an email address belonging to their Office 365 organization can authenticate with my app using oAuth.
Is there a way to do this? Or am I going to have to implement the AD 1.0 endpoints? Being able to pull the users' groups and other enterprise-related data would be great but for simplicity's sake, all I really need to do is verify that they are apart of an organization.
How would I do this using the AD 2.0 endpoints?
The tenant id (tid) claim in the identity token would identify which organization (tenant) they belong to. But even easier than just checking the tid for every user would be to use the tenant-specific logon URL. So instead of the /common/oauth2/v2.0/authorize endpoint, use /<tenantid>/oauth2/v2.0/authorize.
We want to use Google Doc API to generate Document (In our own business account) when our end users do some actions on our site.
The problem is that we've tried to implement the OAuth 2.0 protocol, as suggested in the v3.0 protocol documentation. The apiClient::authentication method do a redirection. This is a major problem because our users doesn't know the access to our own business account.... and we don't want to give them access anyway ;)
(In other word, we're not creating an application that allow our users to edit their own data, but to interact with our data, like a database.)
I've read that the point of OAuth 2.0 was to avoid that we manage the credential of our users. I'm personally O.K. with the concept, but in our case, we don't want to get authenticated in the google account of our users ...
So, what would be the best approach to get a valid authentication without any interaction from the end user ?
What you describe is not how 3-legged OAuth was designed to be used.
3-legged OAuth is all about delegated authentication where a user (who knows his password) can grant limited and revokable resource access to application. That application never sees the user's password. There is a bunch of work involved to safely allow the application to impersonate the user.
What you probably want is to use the (2-legged) OAuth flow, where the consumer_id/consumer_secret credentials are embedded in your application. Here your application is not impersonating your end user and there would be no browser redirection involved.
Here's some further info on using 2-legged OAuth in Google Apps:
http://googleappsdeveloper.blogspot.com/2011/07/using-2-legged-oauth-with-google-tasks.html
And this is a good description of 3- vs 2- legged OAuth:
http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/
You will need to use a SERVICE ACCOUNT. Basically you are hard coding access to this account into your server application. Then you use sharing to give access to the to account for the content you want. For example you can share a Google Doc or an Analytics profile with the SERVICE ACCOUNT.
Here is a complete example implementation of setting up a service account, logging and and then using it.
Updated 2018-12-12: https://gist.github.com/fulldecent/6728257
Why not get one OAuth authorization for your business account and have all users use that account. Since it sounds like you want everyone accessing the data for one account, the details can be hid from the end user.
The access token would be shared by all users and they would all hit the same account back end without any authorization for each user's own account.