Reputation: 2174
Impersonating users of Drive of one domain as a domain administrator
I'm looking for a way to impersonate users of a google app domain using a admin user. I could do it easily with google data document list api but I cant find a way to do it with the new Drive API.
Precisely, what I want to do is authenticate my admin user using Oauth2 (i've already done this), retrieve a list of the users of my domain and then impersonate my users, or at least be able to access files and docs from the Drive of those users.
In the administrative panel of google apps, there are Oauth consumer key and Oauth consumer secret, but these are used in Oauth1 2LO, not Oauth2.
Is there a proper way/workaround/hack to implement what I want ?
Best regards,
Jérôme
Upvotes: 1
Views: 1161
Answers (2)
Reputation: 2174
Thanks to James Woodward, i've been able to impersonate user. I post an answer to provide Java specific details.
- Create a service account in the API console. 3 important resources are created :
- Client ID : used to authorize the app on the Google Apps domain
- Email address : used to authorize the requests of the app
- .p12 key file : used to authorize the requests of the app
- Authorize the app on the Google Apps Administrative panel, providing it with Service account client ID, and all the scopes the app will need.
Create
GoogleCredentialthis way :GoogleCredential serviceCred = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT) .setJsonFactory(JSON_FACTORY) .setServiceAccountId(SERVICE_ID) .setServiceAccountScopes(Arrays.asList(SCOPES)) .setServiceAccountUser("[email protected]") .setServiceAccountPrivateKeyFromP12File("key.p12") .build();
Those credentials can now be used to authenticate the requests made by the app on any scope authorized.
Upvotes: 2
Reputation: 413
I've only been looking at the google-api-ruby-client as an example but you should be able to do this with a service account that is permitted access through the admin panel -> Advanced tools -> manage third party oauath clients. Once permitted you can follow the example for a service account here http://code.google.com/p/google-api-ruby-client/source/browse/service_account/analytics.rb?repo=samples but instead of authorizing with
client.authorization = asserter.authorize()
you can use
client.authorization = asserter.authorize("[email protected]")
I haven't done a lot with this yet but after authenticating in this method I've been able to list all documents owned by a user on my domain.
Upvotes: 2
Related Questions
- Access Google Drive of ALL Users in Customer's Google Workspace Domain using Admin Login
- Google Drive API - How to work with the domain-wide service account
- Google Drive SDK: To copy files from a user to another user via Domain Super Administrator access right
- Perform Google Apps Domain-Wide Delegation of Authority
- Impersonate google user with a service account
- Is it possible to impersonate domain's users with Google Drive API using Google Apps Script?
- how to access drive as certain google user
- How can I access Google Drive API as a domain administrator or as a Marketplace App?
- Granting domain-wide authority to a service account
- How to impersonate a GoogleCredential in a google apps domain?