I have an appengine application that allows users to register themselves. These users must be able to send e-mail from a google apps domain. To do this, I want the appengine application to use the provisioning API to create new users in the apps domain.
I could of course create a custom administrative account for the apps domain. Then I could use a normal gdata.apps.client.ClientLogin. However, that would also mean that the userid and password are stored in source code or in the application.
Is it possible to tell the apps domain that the appengine's service account (its app_identity account) is an administrator for the apps domain?
If that's not possible, any tips on how I can secure the userid and password in the appengine application?
Hans Then
As far as I can tell what I want is not possible. I'll have to setup a userid and password in my apps account and login using that.
You'll need to use 3 legged oauth for authentication with provisioning api. Here's some docs https://developers.google.com/gdata/docs/auth/oauth#Examples
Related
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)
Do you know some tool that allow me to create several google accounts in batch mode?
I have Google for Education in my company and I will have to create 100 users account in order to allow them to use my Google Apps applications and forms.
I was wondering if there is a way to create these accounts programmatically or some tool could do that.
Any tip I will be happy to hear!!
Cheers,
Fernando
The Google Admin SDK Directory API allows you to create users programmatically.
You'll need either domain-wide authorization of a service account (established via a Google Console API project) or OAuth2 creds from an admin user in order to successfully make the API calls.
So now Google released the multi-tenant feature for gae.
Assuming i am going to implement a google app engine application and put it on google apps market place.
suppose www.doma.com and www.domb.com bought the application.
can usera from doma and userb from domb authenticate to this application with their google apps domain username (in other words) can usera#doma and userb#domb use authenticate with gae?
Thanks in advance
Google does not limit users when they go through OpenID or Google Accounts authentication procedure, your code should do this. After user is authenticated control is handed back to your code - at this point you should check users data and decide to pass the request through or not.
Also, if you want to use doma.com and domb.com as your domain names on GAE you need to own this domains and create separate Google Apps account for each of them. This means that random user cannot have user#doma.com email address (unless you manually created an account for them on Google Apps).
I have an application hosted on Google AppEngine. This app requires users authentication. I know that users can be authenticaded through OpenId, Google Accounts and so on. However, some user don't have any of these accounts. Thus, i have to suggest that they create an OpenId or a Google Account before they can be able to access my application.
I was wondering if it's possible to host an OpenId provider inside AppEngine, this way, instead of suggesting user to go away, create an OpenId and later get back, i could simply display a simple form. In this form, that user could create they new account and, at same time, create an OpenId, since the application would also be an OpenId Provider.
I'm not sure if i could host and OpenId provider inside appengine . Would I?
Thanks a lot
http://code.google.com/p/google-app-engine-samples/ contains a sample OpenID provider application. It uses Google accounts to authenticate, but it shouldn't be too difficult to use it to create your own accounts.
Of course, it's a bit bizarre that you want to create accounts on your service for the users but then use openID to authenticate them from that service to itself; why not just have a non-OpenID login in addition to OpenID if you want to manage some users' accounts yourself?
I would like to ask how to use the Google Apps Account instead of a Google Account if I use the
users.create_login_url()
function to generate the login page.
Google automatically ask me to login with a Google Account.
If I am running my application with a Google Apps for a specific domain, I have created users within that domain, is there any way that I can let my users to login using the created domain?
for example: hoang#abc.com
and abc.com is the domain managed by Google Apps.
I am an administrator for abc.com, and I have created multiple users within this domain.
Please advice!
Thank you!
You have to specify at the time you create the app whether you want to use Google Accounts for authentication, or Google Apps. If you selected Google Accounts for your app, you'll need to create a new app with the authentication setting set correctly in order to use it.