Google Workspace marketplace service account for public listing

Question

I have a server-side application that needs to access every user's gmail data in a google workspace organization. I want to publish a public listing on the google workspace marketplace that is installable domain-wide by the super admin user and gives the server-side application the permissions to access the gmail data of the user's in that domain.

From my current understanding, we need a service account with impersonation to access each user's data. On top of that the service account needs to be delegated domain-wide authority, so that user's do not need to give individual OAuth consent or their passwords.

When publishing the app using the marketplace SDK I see that there is a field for service account credentials:

I see that the current Marketplace SDK has a field that accepts service account credentials.

But when my app is published and I install it and go to check the app's data access. I can only see fields for the scopes and the Oauth clients.

My questions:

1. Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app? Will the service account's have the same email and unique id for everyone who installs the public listed app?

2. If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?

3. If (1) is true, is it automatically granted access unlike the OAuth clients and scopes?

4. If (1) is true, Are the service accounts automatically delegated domain-wide on install or do we have to provide the person who installed the marketplace app with the service accounts unique ids so they can manually delegate the scopes domain-wide.

Answer 1

I reviewed some Google public documentations related to Service Account & here’s what I have found that may answer your questions:

Question 1

• Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app?

Answer

• No

Note: The CREDENTIALS tab that you see on the Google Workspace Marketplace SDK page is only an overview of credentials you have created for the GCP Project & NOT necessarily only for that service/API.

Service Accounts are created within a specific GCP Project & that project is where you will enable the Google APIs/Services that your application needs. Google Workspace Marketplace SDK is being described as:

• “A toolkit that lets you create and control your app listing on the Google Workspace Marketplace, or for Chat apps, in Google Chat.” (Source)

So, this Google Workspace Marketplace SDK doesn’t necessarily use a Service Account to authenticate & be called in your app. However, when you setup a Service Account for your app, you'll need to create a Google Workspace Marketplace OAuth Client & this OAuth Client is associated to that Service Account. This is needed to support Google Workspace Marketplace domain-wide installation.

Setting up the Google Workspace Marketplace OAuth Client from the GCP console:

Follow-up Question

• Will the service account's have the same email and unique id for everyone who installs the public listed app?

Answer

• Yes. In theory, it should be.

Question 2

• If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?

Answer

• You have to review the official Google documentation for OAuth & Service account.

Based on the official documentation, this is the overview:

1. Create a service account for your project
2. Delegate domain-wide access to the service account
3. Your application prepares to make authorized API calls using the service account's credentials. (This is regardless of how many users install & use your app)
4. That API call will request an access token from the OAuth 2.0 auth server.
5. Your application will then be able to use the access token to call Google APIs (which in your case uses Gmail API).