Context
I'm currently migrating an OAuth 1.0/OpenId based app over to use OAuth 2.0. The app is a Google App Engine app built in Java and will be in the new apps marketplace 2.0. I've got the basic OAuth 2.0 flow working fine for individual users but am having trouble setting up the service account for my scenario below.
Issue
The flow I'm trying to enable is as follows:
In order to enable #4, my understanding is that my apps service account needs to be granted domain-wide authorization for the requested scopes for the new users domain.
The Google documentation shows how this is done manually through the admin console (https://developers.google.com/drive/web/delegation) by the domain admin, but I haven't had any luck finding documentation on how to programmatically/automatically grant access to my apps service account.
Question
Has anyone had any luck with this? Or perhaps is there another/smarter way to check if a user is an admin of their domain without having to use a service account + admin sdk combo?
Thanks in advance!
Mark your app as DOMAIN_INSTALLABLE and create a service account in the API project attached to that app. Admin users will install it from the marketplace, which will grant domain-wide delegation your service account. See the doc here.
Note that you will also need an admin user's email to impersonate in order to access the Admin SDK. You can ask the person who installs the app to provide a proper email during the setup phase. You will have to publish a web application to perform the setup, and provide a url to this web application in the Marketplace SDK configuration.