How to programmatically request domain-wide delegation for Google Calendar API?

Question

I've spent a few hours now looking through the docs + reading other SO posts, and it's still not clear to me how to simply request domain-wide credentials for Google Calendar API (for other domains; not my own).

Our current web app kicks off an OAuth flow to request Calendar API credentials for a single user; however, there doesn't seem to be a simple way like this to request credentials for an entire domain. It seems that acquiring domain-level access requires the admin to manually set up a service account and then pass that information over (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) which is incredibly cumbersome.

With Microsoft's Calendar API, this is a very straightforward process where you simply specify "Application Permissions" and then the OAuth flow must be completed by an Admin to get the expected set of access and refresh tokens. For GSuite, I can find no such equivalent...

To clarify based on some comments, I'm trying to figure out if GSuite has anything equivalent to what Microsoft Graph offers as described here: https://learn.microsoft.com/en-us/graph/auth-v2-service

The closest I've seen requires publishing to the Google Apps Marketplace; however, the documentation here seems to be quite lacking and it's unclear how things like redirect_uri for handing over credentials to the backend server are handled.

If I've missed any documentation and someone can just point me in the right direction then that would be greatly appreciated.

Answer 1

Google doesn't support the client_credentials auhentication with admin consent dialog, like Microsoft is doing for example.
You can still create an App in the Google Workspaces Marketplace with "Admin Install" privileges.
When some GSuite admin will install your App they will see the admin consent dialog with all required permissions granted at the domain level.
There is a opened feature request in issues tracker: https://issuetracker.google.com/issues/232839443?pli=1

Answer 2

1. Only super administrators can configure domain-wide delegation, this is done in the Google Workspace Admin console
2. When you enable domain-wide delegation for a service account, basically you are giving it the permission to impersonate any user within your domain
3. If you need to make Calendar requests on behalf your users, in your app you will need to implement impersonation, that way you will use the service account with wide-domain delegation to make the requests on behalf your users
4. Here you can find the documentation explaining how to set up wide-domain delegation and an example for making the API calls implementing impersonation https://developers.google.com/identity/protocols/oauth2/service-account#authorizingrequests

Answer 3

The best documentation for how to set up domain wide delegation to a service account is -> Perform Google Workspace Domain-Wide Delegation of Authority

request domain-wide credentials for Google Calendar API (for other domains; not my own).

You can not. The admin of the google workspace domain sets up domain wide delegation for service accounts owned by the domain.

there doesn't seem to be a simple way like this to request credentials for an entire domain.

Service account authorization is very different from Oauth2 authorization. Service account authorization is is intended for backend systems that need access to data without requesting user permission.

Oauth2 allows you to grant authorization on a per user basis. The user must grant an application access to their data by accepting the consent screen.

There is no oauth2 flow that would grant your application to all the users on a workspace domain. TBH I think thats a good thing.