We have a Google Apps Marketplace App that we need to upgrade to use OAUTH2 or it will be removed from the Marketplace.
We have implemented OAUTH2 as specified at this (example best practices) link:
https://code.google.com/p/google-api-python-client/source/browse/samples/appengine/main.py
Now when a user log in to the App (even thought the domain admin has installed the app and granted access) the user is prompted with a message "Your domain administrator has approved access to xxxxx".
The question is why is this and will it cause the App to fail Marketplace best practices and be rejected from the Marketplace?
OAUTH2 is handled by the following scopes / code using the built in Python Appengine decorators:
decorator = OAuth2Decorator(
client_id='ourclientid',
client_secret='ourclientsecret',
scope='https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile')
The same scopes are added via the Marketplace SDK and are granted by Domain admin?
I believe Google are removing all Apps from the Marketplace this month that do not use OAUTH2 SSO.
It turned out to be the oAuth2 python decorators that were causing the problem, when looking at the flow url I could see that they were always asking for offline access. To get SSO working using the supplied decorators you need to override them to request ONLINE access. Offline access causes an additional prompt to the user "Your domain admin has approved access to this App".
Also the scopes to use for SSO (as of 10th September 2014) are email profile (no longer the full ur)
I hope this may save others hours looking through documentation!
Cheers, Ian.