Determine Whether User is Group Member

About

Asked 17/5, 2013 at 4:58 Answered 22/5, 2013 at 14:42

Solved google-api google-apps google-admin-sdk

Background

Our corporate users have a Google Apps account. We would like to allow them (and only them) to log in to an extranet using the Google account. Ideally we would also like to manage permissions through the Google domain management UI. One thought is to create groups and associate group membership with extranet permissions.

Research

Google Apps supports login using OAuth 2.0 and also supports provisioning via API, which would allow us to test if a user is a member of a group. The Provisioning API presumably requires administrator credentials.

Question

Is it possible to programatically determine whether a Google Apps user is a member of a group without requiring domain administrator credentials?

Is there a better way to accomplish this goal?

Slime answered 17/5, 2013 at 4:58 Comment(0)

The API call to check group membership does require at least a delegated admin with rights to read groups via the API. If you utilize the new Google Admin SDK membership API call, you can also limit the scope to readonly:

https://www.googleapis.com/auth/admin.directory.group.readonly

The Admin SDK utilizes OAuth 2.0 which does not require the delegated admin's username/password, only the OAuth token.

UPDATE: the Cloud Identity Groups and Group Members API endpoints allow anyone with either an admin role OR permissions to manage the group itself access to call the API. Thus anyone with rights to see group membership (usually a member of the group) can use this API and does not need delegated admin permissions.

Tetrachloride answered 22/5, 2013 at 14:42 Comment(4)

do you know if this scope is available to service accounts? I've successfully used it with an OAuth callback using a normal account, but not yet with a service account/private key. I'm having trouble setting up the permissions. – Susurrous 13/11, 2013 at 3:56

This is such an important question/answer, it really needs more clarity to ensure we Just Get Things Right(tm). @jaylee, please can you clarify: when making the API call to check the group membership (Members: get) while using a service account's credentials, which admin account should we be impersonating? Should there be a dedicated admin account for this purpose? – Alive 2/3, 2015 at 13:0

You can use a service account, which has been authorized for this scope. Check out the following guide from Google: developers.google.com/identity/protocols/… – Ironware 11/5, 2016 at 14:52

Some concrete code examples would be extremely helpful. I've been struggling trying to implement this exact feature for days. – Marzipan 2/2, 2019 at 19:42

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags