"domain wide authority" give access to user data without consent?
Very straightforward question, but info on this is conflicting.
We're being asked to create a service account that has domain-wide authority to access Gmail API.
I would like to clarify if that app will now have access to all user data or it will need to seek permission from each individual user?
On one hand I setup a consent screen, on the other I see the following notice when delegating domain wide authority in G suite
Developers can register their web applications and other API clients with Google to enable access to data in Google services like Gmail. You can authorize these registered clients to access your user data without your users having to individually give consent or their passwords.
And here it also seems like the app will have access to all users' data without having to seek it from each user individually: https://support.google.com/a/answer/162106?hl=en
Sorry if it's a dumb question I looked at the SO solutions and read through the documentation, but it's still unclear, closest I found is this: Gmail API - Delegating domain-wide authority to the service account to single user but it doesn't answer the question.
This is what I got from G Suite support, basically saying the app will have access to all the user data without asking for any login/pass:
Question:
I would like to clarify if that app will now have access to all user data or it will need to seek permission from each individual user?
Answser:
The Service Account will be able to access all data from any user in the domain without asking for their authorization.
If you delegate domain-wide authority to a Service Account, this Service Account will be able to impersonate any account in the domain. That is, it will be able to act on behalf of any account, and access the same resources that this account can access, no authorization required.
That's because Service Accounts, even when not using domain-wide delegation, use the "two-legged OAuth" workflow, in which users are not directly involved and consent from them is not required. That's one of the points of Service Accounts. See this two-legged OAuth diagram, in constrast to the three-legged one.
Of course, this is a very powerful tool, and that's the reason only domain administrators can grant domain-wide delegation.
Beware, once you have granted domain-wide authority to a Service Account, you should specify, in your app, which user you want the Service Account to impersonate. If you don't do that, it's like you haven't granted domain-wide authority at all.
I'd suggest you to give a long read to Using OAuth 2.0 for Server to Server Applications.