The question look very easy to answer but the documentation is not really clear about that. I am using OAuth 2.0 to authorize requests but in the end, only administrators are able to use APIs, normal users will get an error. Am i missing something in my configuration or simply normal users are not allowed to use Directory API? As far as I can tell, it should not be possible but I see many reasons why instead it should be. For instance, in my applications I'd like to handle permissions based on user's OU. Unfortunately I couldn't find a way to do that because every call to the API must be authorized by an authenticated user. But what if that user is not an administrator?
For instance, if I try to execute this API example as a normal user I get the following error:
"Not Authorized to access this resource/api".
Whereas with an administrator account I can successfully retrieve the JSON result.
It makes sense that only the admin of the domain can use the Directory API (which is a subset of the Admin SDK) - only the domain admin has access to all the user data.
You can access the Directory API for the relevant domain using a service account - which will give you full access that was granted in the scopes by the domain admin when allowing your app. And afterwards you'll decide on your server-side which features you want to expose to "regular" users, and which you expose to the admins only.
But again, in order to do that, you need to find a way to implement a service account mechanism in your app.