google-apigoogle-oauthgoogle-calendar-apigoogle-workspaceservice-accounts

How to programmatically request domain-wide delegation for Google Calendar API?


I've spent a few hours now looking through the docs + reading other SO posts, and it's still not clear to me how to simply request domain-wide credentials for Google Calendar API (for other domains; not my own).

Our current web app kicks off an OAuth flow to request Calendar API credentials for a single user; however, there doesn't seem to be a simple way like this to request credentials for an entire domain. It seems that acquiring domain-level access requires the admin to manually set up a service account and then pass that information over (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) which is incredibly cumbersome.

With Microsoft's Calendar API, this is a very straightforward process where you simply specify "Application Permissions" and then the OAuth flow must be completed by an Admin to get the expected set of access and refresh tokens. For GSuite, I can find no such equivalent...

To clarify based on some comments, I'm trying to figure out if GSuite has anything equivalent to what Microsoft Graph offers as described here: https://learn.microsoft.com/en-us/graph/auth-v2-service

The closest I've seen requires publishing to the Google Apps Marketplace; however, the documentation here seems to be quite lacking and it's unclear how things like redirect_uri for handing over credentials to the backend server are handled.

If I've missed any documentation and someone can just point me in the right direction then that would be greatly appreciated.


Solution

  • The best documentation for how to set up domain wide delegation to a service account is -> Perform Google Workspace Domain-Wide Delegation of Authority

    request domain-wide credentials for Google Calendar API (for other domains; not my own).

    You can not. The admin of the google workspace domain sets up domain wide delegation for service accounts owned by the domain.

    there doesn't seem to be a simple way like this to request credentials for an entire domain.

    Service account authorization is very different from Oauth2 authorization. Service account authorization is is intended for backend systems that need access to data without requesting user permission.

    Oauth2 allows you to grant authorization on a per user basis. The user must grant an application access to their data by accepting the consent screen.

    There is no oauth2 flow that would grant your application to all the users on a workspace domain. TBH I think thats a good thing.