I have been looking around for a while now and I’m not able to figure this out myself. Actually I feel very confused and lost in the google api docs 🙂
There are two things I need to do.
- Sync users from a google apps account and store in my own db.
- Let users login using their google apps accounts if already synced to db.
I managed to get this working using the contacts api and oauth2 using the gdata python library. But the problem is there is a lot that needs to be configured in the google api console (redirect url, js origin) for this to work. It just does not seam like the simplest way to do it since the user/client would have to do this by him/her self. How do other sites solve the google apps login? I have also been looking at openid but I’m not sure (1) can be solved using this.
Anyone who has done this before and know which approach is preferred or have any suggestions?
Thanks!
Why do you need to pre-sync the list of users? Why not just allow users to login, and dynamically create the user in your DB based on which users login?
If you really need to sync users:
Syncing users should be done with the Google Apps Provisioning API, rather than the Contacts API.
Are you building an installed application (on your server somewhere), or a web application which will allow the domain admin from multiple sites to visit and grant access?
If it’s an installed application (on your server)– then as long as you need only read-only access to grab users from Google Apps to another system, it’s fairly simple.
Domain admin needs to do:
1) Visit:
Grant access for a client name that’s the same as (YOUR DOMAIN NAME) to the scope:
2) Grab your domain consumer key/secret, and make sure it’s enabled. Grab from here:
Developer needs to do:
You then need to use 2-legged OAuth 1.0 with that consumer key and secret to access. You can try it out by using the OAuth 1.0 playground. In the playground, don’t touch anything in section #1 and #3. Just use section #2 to choose HMAC_SHA1 as the signature method, and supply your key (which is the DOMAIN NAME) and secret in those fields. In section #6, specify the URL you’re going to request, which will be:
And hit execute. Note the OAuth 1.0 playground is not hosted on an SSL-enabled URL — so you might want to do this on a test domain when trying it out, and reset the domain secret after testing.
Steps #1 and #2 should be fairly easy for a domain admin to follow if given the appropriate instructions. The only way to make it easier would be to host an application on the Google Apps Marketplace. This gives a single key/secret for the application, and the admin installing the app and granting permission is enough to grant access for your application’s key/secret to access the installing domains’ data. They don’t have to manually go through Steps #1 and #2.
Note: if you are building a web application which would require the administrator grant access to their domain user list, or need write access to the provisioning API, the domain client/secret won’t work. You’ll need to use one of the other authorization mechanisms. Your application will need to setup the client ID/client secret in the APIs console– but you won’t need to have each user do this.
Letting users login with their Apps Accounts:
Use OAuth 2.0 for Login (which is OpenID Connect-based):
https://developers.google.com/accounts/docs/OAuth2Login
You’ll have to setup your application’s client info in the APIs console, but that’s only once– it wouldn’t need to be done for every domain or anything like that.