Domain-wide delegation of authority and OAuth 2.0 Service Accounts

Tuesday, November 6, 2012 | 11:20 AM

Labels:

Some enterprise applications need to programmatically access their users’ data without any manual authorization on their part. For example, you might want to use the Tasks API to add a task to all of your employees’ Google Tasks lists during the holiday season to remind them of something like, “Come pick up your holiday gift at the front desk!” Or, you might want to run some company-wide analysis of the content of your employees’ Google Drive.

In Google Apps domains, the domain administrator can grant applications domain-wide access to its users' data — this is referred as domain-wide delegation of authority. This basically allows applications to act on behalf of Google Apps domain users when using APIs.

Until recently this technique was mostly performed using 2-Legged OAuth 1.0a (2-LO). However, with the deprecation of the OAuth 1.0 protocol and the resulting programmed shutdown of 2-LO, the recommended authorization mechanism is now to use OAuth 2.0 and service accounts.

Unlike regular Google accounts that belong to an end user, service accounts are owned by your application and therefore identify your application. They can be created in the Google APIs Console and come with their own OAuth 2.0 credentials.

Google Apps domain administrators can delegate domain-wide authority to the service account’s credentials for a set of APIs. This results in allowing the application, by using the service account’s credentials, to act on behalf of the Google Apps domain’s users.

If you’d like to learn more, have a look at the recently published Google Drive SDK documentation on using OAuth 2.0 and service accounts for domain-wide delegation of authority.. These documents provide a step by step process and code samples to help you get started with service accounts.

Nicolas Garnier Google + | Twitter

Nicolas Garnier joined Google’s Developer Relations in 2008 and lives in Zurich. He is a Developer Advocate for Google Drive and Google Apps. Nicolas is also the lead engineer for the OAuth 2.0 Playground.

3 comments:

Alberto Martínez said...

How can I use Provisioning (GData) API if ClientLogin and every other auth method but OAuth2 has been deprecated?

Buck Manhands said...

The link to "using OAuth 2.0 and service accounts for domain-wide delegation of authority" provided php code to instantiate a drive service object that does not function.

Jerry Wang said...

when will the domain-wide delegation of authority using Oauth2.0 be available to other APIs, like calendar, contact...? currently it seems only domain-wide oauth2.0 is only supported by Google Drive api. Thanks