GSuite Service Account + OAuth2 for other domains

Question

I have set up an integration using GSuite Domain wide delegation + service account which allows us to act as any user within our domain.

Currently this method isn't a very "user friendly" option for our customers at rulerr.com and I'm seeking to run through the Oauth2 consent process for other domains outside of our Organization.

Ideally they would be able to consent as an admin (known as admin consent) and then we can access all user data (calendars/mail/drive) by simply retrieving a token or two.

This is possible via Microsoft Graph with application and delegated permissions (see https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/)

Can anyone tell me if this is possible in GSuite? I cannot find any information other than for service accounts for a single Organization.

Answer 1

For anyone looking for an answer to this question with more detail than what is available in the Google API documentation, this page helped me a lot: http://youdontneedacrm.tumblr.com/post/81479000201/tutorial-create-your-application-in-google-marketplace

Answer 2

"Admin consent" is given when the admin of rulerr.com authorizes the client_id of your API Service Account in their G Suite domain. This can be done two ways:

1. Admin of rulerr.com adds your client_id to the Security-->Manage API Client Access section of the G Suite admin site. This grants your API client access to all accounts in their domain instance for the scopes authorized.
2. If you enable the Marketplace SDK in your API project and create/deploy a marketplace app, their admins can install that app to their domain which grants consent for all users, except they can OU limit it so that it is only granted for users in the OUs they choose.