google-apigoogle-appsgoogle-admin-sdk

Determine Whether User is Group Member


Background

Our corporate users have a Google Apps account. We would like to allow them (and only them) to log in to an extranet using the Google account. Ideally we would also like to manage permissions through the Google domain management UI. One thought is to create groups and associate group membership with extranet permissions.

Research

Google Apps supports login using OAuth 2.0 and also supports provisioning via API, which would allow us to test if a user is a member of a group. The Provisioning API presumably requires administrator credentials.

Question

Is it possible to programatically determine whether a Google Apps user is a member of a group without requiring domain administrator credentials?

Is there a better way to accomplish this goal?


Solution

  • The API call to check group membership does require at least a delegated admin with rights to read groups via the API. If you utilize the new Google Admin SDK membership API call, you can also limit the scope to readonly:

    https://www.googleapis.com/auth/admin.directory.group.readonly
    

    The Admin SDK utilizes OAuth 2.0 which does not require the delegated admin's username/password, only the OAuth token.

    UPDATE: the Cloud Identity Groups and Group Members API endpoints allow anyone with either an admin role OR permissions to manage the group itself access to call the API. Thus anyone with rights to see group membership (usually a member of the group) can use this API and does not need delegated admin permissions.