Our app has a requirement to access to all Gmail mailboxes pertaining to a Gsuite account. I am able accomplish this, by following the instructions at https://developers.google.com/admin-sdk/reports/v1/guides/delegation. i.e. manually creating a service account key, enabling domain wide delegation on the credential and assigning appropriate permissions manually in the G Suite Admin area. This appears to work when manually setting it up for each our clients, however, the process is complex and cumbersome and is a barrier to adoption.
In attempt to implement a one click signup process, as per the requirement for G Suite marketplace, I create an OAuth client ID (as opposed to service account) and use this credential to redirect the user through consent process as part of the signup process. Thereafter, use the refresh/access credential to access the G Suite API's. This works wonderfully, except I am only able to access the mailbox of the logged in user (not anyone else in the domain). Domain wide delegation does not appear to be available with a client ID credential.
I do realize that service account credentials have a client ID, but they do not allow the ability to specify acceptable redirect URI's. Therefore, consent process seems impossible to implement using a service account.
My app is registered with the Chrome store. How can one create a credential, use consent process to accept permissions, and still have the benefit of domain-wide delegation?
It seems I need two credentials.
1) Google user authentication - Client ID credential (using secret)
2) Gmail API's access - Service account credential (using private key) with delegate permission enabled
The Client ID credential in 1) is suitable for authentication or making API calls on behalf of the user (provided consent is given). However, the credential won't work when accessing multiple mailboxes. In this case, a service account credential (2 above) is required.
When using a service account credential, it is still necessary to obtain permission from the user to access specific API scopes. These permissions/OAuth scopes are specified in the Google Marketplace SDK config.
Go to Google Cloud Platform -> API's & Services Daskboard -> Click Enable API's And Services -> Type Google Marketplace SDK in search box -> Select Google Marketplace SDK -> Click Manage. In Configuration tab, add the required Scopes.
The G Suite admin is prompted from within Google Marketplace to allow scoped permissions when accessing the app for the first time. Unlike Office 365, the consent process is not handled through a consent redirect. The app must be accessed initially from within the Google Marketplace for the correct delegate permissions to be assigned.