Reputation: 601
Cross GSuite Organizations Domain-Wide Delegation
Consider this scenario:
I have two domains: domain1.net and domain2.net.
I have GCP enabled on domain1.net and created a Service Account here that has Domain-Wide Delegation Enabled.
The CLIENT ID from this Service Account is configured on domain1.net GSuite Admin Console as domain wide delegation and has the following OAuth2 scopes enabled:
SCOPES = [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly',
]
I have a Cloud Function that uses the Service Account's rights to create a OAuth2 JWT, to be able to access GSuite domain1.net APIs. Code Sample Here.
The user to impersonate in GSuite has Group Admin Roles to be able to create GSuite Groups.
All this configuration works perfectly, I am able to create Groups in domain1.net using a Cloud Funtion in domain1.net GCP env.
But if I use the same Service Account CLIENT ID in domain2.net give the same OAuth2 Scopes, create an user with Group Admin Roles and use this user to create new groups, it doesn't work.
Error:
error got with oauth2client==4.1.3
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
error got with google.oauth2:
googleapiclient.errors.HttpError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Now the above error code: unauthorized_client found in this documentation specifies that the CLIENT ID is incorrect and I've might have used the Service Account's email, which I did not.
Is Domain-Wide Delegation cross GSuite organization(different domain) capable?
I know that it works in any sub-domain of domain1.net but not in any other GSuite organization(different domain like domain2.net).
Upvotes: 2
Views: 551
Answers (2)
Reputation: 19339
A service account belongs to the application for which you created it. If this application belongs to domain1.net, the service account will be able to impersonate accounts from domain1.net, not from any other domain.
If you want a service account to impersonate users from domain2.net, create another service account on a GCP project that belongs to domain2.net.
Reference:
Upvotes: 0
Reputation: 46
I have good news for you (This won't answer your question but will solve your problem)!
You won't need to impersonate an admin anymore to create groups. Google just last week announced that the Cloud Identity Groups API will now allow for Group Management via API w/o impersonating an admin.
Take a look at these update blogs:
https://gsuiteupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I can't help you with the actual question, tho; that's just not my territory.
Upvotes: 1
Related Questions
- Grant Third Party Application Access to Google Drive API and Admin SDK API of another Organization's Google Workspace
- Google Workspace: manage domain-wide delegation programmatically
- Domain-wide delegation with impersonation
- Google OAuth Consent - Internal - Multiple separate organisations
- Google OAuth using domain wide delegation and service account
- Enable G Suite Domain-wide Delegation from the GCP API
- Google Cloud & APIs- Is it possible to have limited domain-wide delegation?
- GSuite Service Account + OAuth2 for other domains
- How does one migrate from OAuth 1 2LO to OAuth Domain-Wide Delegation For Google APIs?
- Which Google APIs support OAuth2 Domain-Wide Delegation?