I have a PHP web application which has implemented OAuth2 authentication with our Google Apps account. This was simple task of setting up an APP in the developers console and using google-api-php-client to authorise the user, and check that their email matches my google apps domain.
While OAuth2 authorisation gives me the basic info for the user, I'd like to also check that the user has a particular role OR organisation unit OR member group.
If I could query/check any one of these, I would be able to enable/disable functionality within my web application dependent on the user configuration in the Google Apps account - rather than storing a user list and access levels within the web application.
Can anyone tell me how I can have my app request this additional information. I've hunted around the Provisioning (deprecated) and newer Directory API, but I am under the impression that the logged in user (rather than the APP) would need to have full admin access to actually query for user or group information.
Your impression is correct. There is no API call for a user to determine their own group membership or orgUnit.
You might consider creating a delegated admin account that has only rights to read groups and orgUnits via the API and authenticate as that user when you need to determine this information for users.