Here's what I'm trying to do:
When people log into our app, using Google Apps OAuth, they are automatically grouped within the app, by their organization.
We're already doing this with Slack, where a user logs in, says which team they want to log in from, and they are automatically grouped with other people from their Slack team.
With Google, it seems a bit more complicated. I do not need access to anything within the organization: no user list, no other e-mails, no files. All I need is the name of the organization, and some sort of unique identifier.
Is this even possible? I've been digging through this without much success: it seems like an admin from the apps account has to install or approve the app?
I'm getting the sinking feeling that this will have to be something setup via the Marketplace, but that's far from ideal from our perspective.
Can it be done?
What you want is the hd claim of the ID Token. This represents the "hosted domain" of the Google for Work user, i.e. their organization.
If you use the Google Sign-in library, you will be able to get the ID Token of the user, once you have that you can extract the hd claim. Try these docs: web, ios, android.