I'm currently working on a Google App Engine / Java based app that has just been migrated over to the new Google marketplace and am wondering if there's any way to restrict a scope requirement to a specific domain. The scenario I'm trying to enable is as follows.
Our app enables admins to run commands that read data from docs/sheets stored in Google Drive. An "admin" is anyone that belongs to the app's primary domain. The commands use a service account to access Google Data APIs and as such, requires the appropriate scopes to be defined in the call and also enabled in the Marketplace API Console. The scopes we're using are: https://spreadsheets.google.com/feeds, https://docs.google.com/feeds
The issue is that enabling these scopes forces all of our customers in other domains to be required to grant access to the scopes as well. There are no scenarios when the app needs access to these other domains' drives so this is unnecessary and also not desirable from our customers' point of view.
Is it possible to request/grant a specific set of scopes for our app's admins but not to other customers?
If this is only for your internal admins users (i.e. not the customer's admins but the application creator's admins), you should not use the marketplace authorization for this.
Instead you should use either :
Direct OAuth authorization request to the admin users. In other word, pop up an authorization request for those users and store the access and refresh token in App Engine so that you can then access their Drive files.
Service account + domain-wide delegation setup specifically for your domain. See how to set this up here. This is basically the same kind of process as the marketplace, but you authorize the service account without installing the marketplace app.
Use a service account to identify your app in Drive, and then share the required Drive files with this service account's email. Then your app will be able to access those files as if it were a normal user. More details here.