Reputation: 669
Google Workspace openid pre-consent
I'm trying to achieve some form of workspace admin pre-consent so users in a given workspace don't have to go through the manual/interactive oauth flow to authenticate with my service on first use. I have an OAuth client that only uses openid/email/profile scopes to allow login.
I came across https://support.google.com/a/answer/162106?hl=en:
Three-legged OAuth apps, which normally require individual user consent. Users activate apps without being prompted for consent, and you can specify the user data that the apps can access.
The page suggests that I can grant domain-wide delegation rights for the workspace to the OAuth client id (presumably with the same scopes) to establish pre-consent. Am I understanding that correctly? This is the only time I've heard of granting DWD to an OAuth client instead of a Service Account.
How does that work in practice? I understand that if multiple google accounts have been previously used in the current browser(?), there might be a dialog asking which to pick, which is fine.
I found a mechanism for managing third party app access in workspace -- workspace - Security -> API Controls -> Manage third party app access -- but I don't know what the purpose of this tool is. Apps still seem to need to request access.
Upvotes: 1
Views: 31
Answers (0)
Related Questions
- How to disable google OAuth2 granular consent?
- Google OAuth granular Consent with google fit api
- How to redirect user to the Google consent screen?
- How can I verify a Google authentication API access token?
- Access Google Drive of ALL Users in Customer's Google Workspace Domain using Admin Login
- Grant Third Party Application Access to Google Drive API and Admin SDK API of another Organization's Google Workspace
- Why I'm getting a 403 (Insufficient Permission) error on Google Workspace Admin SDK?
- Is there an equivalent of adminconsent in Google?
- API access to third-party apps via G Suite Admin SDK