Google's docs are not too clear on whether this is possible.
I have an OAuth configured for SSO into my organisation's application which is working correctly.
I also wish to create a Google Workspace Marketplace App (https://workspace.google.com/marketplace) which is installable by other organisations which will allow me to query (or possibly receive change notifications) on their directory of users, ultimately with the end goal of automatically provisioning their users within my application (This application will be a backend application which will run periodically).
Is this possible?
So this is possible. You have to create a Marketplace App as described here:
https://developers.google.com/workspace/marketplace/how-to-publish
And also enable domain-wide delegation:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation
You then will be able to impersonate admin users for specific (I couldn't figure out a way of authenticating without performing impersonation)
Code snippet in C# - NOT PRODUCTION GRADE CODE
using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Admin.Directory.directory_v1.Data;
using Google.Apis.Services;
using System.Linq;
namespace AdminSDKDirectoryQuickstart
{
class Program
{
static string[] Scopes = { DirectoryService.Scope.AdminDirectoryUserReadonly };
static void Main(string[] args)
{
var credential = GoogleCredential.FromFile("credentials.json")
.CreateWithUser("[email protected]")
.CreateScoped(Scopes);
var service = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential
});
var request = service.Users.List();
request.Customer = "my_customer"; // Alias for the customer of the admin user specified in the credential
request.MaxResults = 500;
var result = request.Execute();
foreach (var user in result.UsersValue)
{
// Do something with the user
}
}
}
}