Configure OAuth2 Service Accounts for Domain-wide Delegation

The tutorial describes how the Google Apps domain of a G Suite domain can configure an OAuth2 Service account application for domain wide delegation. That is, the service account user can act on behalf of any other user of the Google Apps domain.

1. Go to admin.google.com and sign in to the G Suite administrative console.

2. Click the Security icon, choose API reference and check the option Enable API access. This will allow the admin programatic access to various G Suite Administrative APIs.

api-access-admin-console.png

3. On the Security Page, click Show More and then choose Advanced Settings. In the Advanced Setting section, click Manage API access. The domain admins can use this section to control access to user data by applications that use OAuth protocol.

2017-01-17_12-36-51.299.png

4. You can now authorize whitelisted application to access the data of the domain users without them having to individually give consent or their passwords. Also, you need to specify a list of OAuth 2.0 API scopes (comma separated) that the authorized API client is allowed access to on user’s behalf.

You can get the Client ID from the JSON file while the API scopes are the all the APIs that we have enabled while creating the Google Service Account.

api-client-access.png

For instance, if your application needs access to user’s Gmail, Google Drive and Admin SDK, the API scopes would be:

https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com, https://www.googleapis.com/auth/drive

The service account is now ready and the application is authorized in the Google Apps admin console. In the next step, we’ll look a building an OAuth2 application that uses Google Service Accounts with Google Apps Script.