I have a setup where the users login through Google OAuth2.0 and hit the Google Directory API from Java Spring, where I then process data on that user. It is currently working only when I login with a Google admin account. I need this to work for all types of accounts. This is the URL I am hitting:
https://www.googleapis.com/admin/directory/v1/users/{userKey}
Since it is working fine for admin users, is there any way to simply change this setup to also handle non-admin users? I am wondering if this requires something like a service account but I thought giving my application the scope https://www.googleapis.com/auth/admin.directory.user would be okay. Thanks
Only admins with Users privilege (see privileges here) can perform actions like read Users properties. Non-admin accounts will recieve a 403 error with a message like this:
Not Authorized to access this resource/api
Please take into account that Directory API is part of the Admin SDK, whose purpose is to manage domain resources, and can only be used by accounts with the corresponding admin privileges. In this sense, adding an additional scope won't change anything, considering that you are probably making a GET request (calling Users: get) and using https://www.googleapis.com/auth/admin.directory.user.readonly.
You could certainly use a service account that has been granted domain-wide authority to impersonate an admin account and get rid of the login step altogether, but I'm not sure that's what you want to do.