3.2 Configuring OAuth2 authentication for Google APIs

NOTE:The Google Developer Console and Administrative Console change frequently as Google implements new features or rolls out updates to various services. Your view may differ from the screen shots in this section.

3.2.1 Creating a Google Service Account

  1. Go to Google Developer Console at http://console.developers.google.com/project

  2. To create a new project, click on Select a project on the upper right side of the page.

    NOTE:If you have already created projects, they will also be displayed in this drop-down list. You may pick an existing project to manage here.

  3. Click on Create Project

  4. Fill in the Project Name field. The Project ID field will be generated by Google.

    Clicking on Show advanced options... will allow you to select a geographic App Engine location.

    NOTE:The first time a project is created on a domain Google may display additional prompts, such as opting into API email lists or accepting API terms of service.

  5. Click Create. The new project may take 1 to 2 minutes to be created.

  6. Once the new project has been created. The Developer Console will display options for the new project.

  7. Click on Admin SDK under Google Apps APIs

  8. Click on Enable API

  9. Click on Go to Credentials to create credentials now.

    1. The Google Apps driver accesses the Google Admin SDK via a Service Account Credential. Click on the service account link under Find out what kind of credentials you need.

    2. Click on Create Service Account

    3. Enter the name you want to use for the service account.

      NOTE:Google automatically populates the value of the Service Account ID. You will need to save the value of the Service Account ID for use in configuring the driver.

    4. Check the box for Furnish a new private key and select P12 as the key type.

    5. Check the box for Enable Google Apps Domain-wide Delegation.

    6. Enter a value for Product name for the consent screen.

    7. Click Create

      NOTE:As part of the service account creation process Google creates and downloads the P12 file for your service account to your computer. Please verify that a file with the name shown in the confirmation screen exists in your browser’s download folder.

    8. Press Close

    9. The service account is created and Google shows the Permissions screen for Service Accounts. You will need to have the Email address and Client ID shown on this page when configuring the driver.

    10. Click on the Permissions button.

    11. As a Best Practice, Google recommends that you create at least one additional owner for the project.

    12. Enter the email address for the Google account to be added as owner in New members.

    13. Click on the Select a role drop-down list and select a role. The options are Owner, Editor, Viewer, Service Account Actor. Select Owner

    14. Click Add

    15. Return to enabling Google APIs required by the Google Driver. To do this click on the three horizontal lines to the left of Google Developer Console

    16. Select API Manager

  10. Continue enabling Google APIs

  11. Select Contacts API from Google Apps API

  12. Click on Overview to return to the list of Google APIs

  13. Click on Enable API

  14. Search for the Groups Settings API by typing Groups in the Search all 100+ APIs control.

  15. Select Groups Settings API from the list of results.

  16. Click on Enable API

At this point the Service Account Credential to be used by the Google Driver is now created and the APIs required by the Google Driver have been enabled.

3.2.2 Delegate Domain-wide Administrative rights to the Google Service Account

  1. Go to the Google Administrative Console

  2. Click on the Security icon

  3. Click Advanced Settings. If Advanced Settings isn’t visible, click Show More

  4. In the Advanced Settings tab, click Manage API client access under the Authentication tab.

  5. Enter the value for the Client ID from the Service Account Credential in the Developer Console in the Client Name field.

  6. Enter the list of scopes to authorize for the driver. The list of scopes shown below may not match the driver you are installing. Please refer to the list of scopes that is provided with the driver files in Directory Scopes.txt that comes in the Google Apps Driver download package.

    https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.directory.userschema,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,http://www.google.com/m8/feeds,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://apps-apis.google.com/a/feeds/emailsettings/2.0/