authorize non-admin users to use AdminDirectory using OAuth2 - google-apps-script

I want to authorize non-admin users to use AdminDirectory (part of Google apps Admin SDK) as a part of a google apps script. Basically I want the users to get a list of other users' full names based on their user name.
I understand I can do this using OAuth2 but I cannot find examples of Google apps script-code for Admin SDK-AdminDirectory.
I have created a service account and have and have my Client ID and key ID. What do I need to do next? I found this https://developers.google.com/api-client-library/javascript/features/authentication but I can't figure out how to get the authorization to work.
Here is a minimal version of my script: (It will produce the full name of user edutett0707#edu.kristinehamn.se for authorized users)
function grupplistor() {
var userinfo = AdminDirectory.Users.get("edutett0707#edu.kristinehamn.se");
Logger.log ([userinfo.name.fullName]);
}

Try:
function grupplistor() {
var userinfo = AdminDirectory.Users.get({
userKey: "edutett0707#edu.kristinehamn.se",
viewType: "domain_public"});
Logger.log ([userinfo.name.fullName]);
}
viewType domain_public tells the api to return information about the user that's shared to all other users.
Jay

You can try using creating the service account and its credentials.
You need to create a service account and its credentials. During this procedure you need to gather information that will be used later for the Google Apps domain-wide delegation of authority and in your code to authorize with your service account. The three items you need are your service account’s:
Client ID.
Private key file.
Email address.
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API.
Source:
https://github.com/googlesamples/apps-script-oauth2
https://github.com/Spencer-Easton/Apps-Script-Drive-Service-Account-Library
Hope this helps

Related

How do I access service account details from main account [google]?

Context:
I have a service account that updates a Google Sheet on a daily basis and I want to add functionalities to the Sheet by extending it with Apps Script. I developed the script with my own personal account (same I used to create the service account) and it seems I can't access the service-account information when it's making changes to the Spreadsheet. What I mean is that I set up a trigger for changes on the spreadsheet but when I try to verify who made the changes I get a blank string.
Quoting the docs:
The circumstances in which the email address is available vary: for example, the user's email address is not available in any context that allows a script to run without that user's authorization, like a simple onOpen(e) or onEdit(e) trigger, a custom function in Google Sheets
How do I fix this? Is there a different design I should use?
Service accounts are not real users, this can be noted in this documentation. Please note the following:
Service accounts do not belong to your Google Workspace domain, unlike user accounts. If you share Google Workspace assets, like docs or events, with your entire Google Workspace domain, they are not shared with service accounts. Similarly, Google Workspace assets created by a service account are not created in your Google Workspace domain. As a result, your Google Workspace and Cloud Identity admins can't own or manage these assets.
Service accounts do not have passwords, and cannot log in via browsers or cookies.
The triggers that are setup on your script would require them to be logged in to the browser in order to capture the email address, a service account can't do that so that would be the reason why you are unable to gather this information.

Get inboxinfo from shared/delegated mailbox in Gsuite

We're using Gsuite Enterprise/Piazzaweb at work. I'm using basic scripts to get information from my own mailbox, no problems there. But I want to pull information from a couple of shared mailboxes in which I'm delegated. For example billing#mycompany.com. But I can't find any information regarding this and if it's even possible to reach a delegated mailbox with App script.
I've been sending e-mails from the delegated mailbox with app script without any problem.
Hopefully somebody can tell me more about this.
Thanks in advance.
In order to use Service Accounts in Apps Script, you have to do the following:
Build the OAuth service for your Service Account with the following library: OAuth2 for Apps Script.
Call the corresponding API by making the corresponding HTTP request via UrlFetchApp.fetch(url, params).
1. Build the OAuth service:
Once you have added the specified library to your script, you have to do this in order to build the OAuth service with delegated credentials, :
const PRIVATE_KEY = '-----BEGIN PRIVATE KEY-----\nxxxxxxxxxxxxxxxxxxxxx\n-----END PRIVATE KEY-----\n';
const CLIENT_EMAIL = 'xxxxxxxxxxxxxxxxxxxxx.iam.gserviceaccount.com'; // Service account email
const USER_EMAIL = 'email_address_to_impersonate'; // Account to impersonate
const SCOPE = 'https://www.googleapis.com/auth/gmail.readonly' // Change according to your preferences
function getGmailService() {
return OAuth2.createService('Gmail: ' + USER_EMAIL)
.setTokenUrl('https://oauth2.googleapis.com/token')
.setPrivateKey(PRIVATE_KEY)
.setIssuer(CLIENT_EMAIL)
.setSubject(USER_EMAIL)
.setPropertyStore(PropertiesService.getScriptProperties())
.setScope(SCOPE);
}
Where PRIVATE_KEY refers to the key found in the Service Account JSON credentials, CLIENT_EMAIL is the Service Account email, and USER_EMAIL refers to the email address whose INBOX you want to access.
It's important to note that SCOPE should be one of the scopes you specified when delegating authority.
2. Access the API:
Once the OAuth service is built, you use it to retrieve an access token with which you can access the desired resource. Of course, GmailApp service and the Advanced Gmail Service won't be of use here, since you have to access the API using the service you just built. Because of this, the way to access the API will be making the corresponding HTTP request via UrlFetch.
I'm not sure what you want to do exactly, and the exact request would depend on that, but for example, if you wanted to list the messages from the impersonated user, you could do this:
function readInbox() {
var service = getGmailService();
console.log(service.getAccessToken());
if (service.hasAccess()) {
var url = 'https://www.googleapis.com/gmail/v1/users/me/messages';
var response = UrlFetchApp.fetch(url, {
headers: {
Authorization: 'Bearer ' + service.getAccessToken()
}
});
var result = JSON.parse(response.getContentText());
console.log(JSON.stringify(result, null, 2));
}
}
Note:
I'm assuming here that you have already created a Service Account and granted domain-wide authority, and that your issue was just using it in Apps Script.
In Gmail API Reference, check the HTTP request, Parameters and Request body sections corresponding to the API method you want to use, if you need information on how to make the HTTP request (URL to access, HTTP method, request parameters, etc.).
Reference:
OAuth2 for Apps Script
Apps Script OAuth2 > GoogleServiceAccount.gs
You cant use delegation from apps script as apps script doesn't support using service accounts. You would need to make an oauth2 flow and have that user authorize it. Answer provided by #Zig Mandel
On top of what #ZigMandel said: unless this is a google domains or google for work account to my knowledge you cant use service accounts with gmail. you need to use Oauth2. Answer provided by #DalmTo
I don't know if this would solve the problem, but a feature request has been placed on Google Cloud Community and on Google Issue Tracker to enable access to Gmail Apps Script add-ons from delegated mailboxes.
The more upvotes, the more chances Google seriously looks at this issue ;).

Add users to Google Group using Google Apps Script

I'm trying to add a user to a Google Group using Google Apps Script.
Here's the code I've tried:
// Adds a user to a Google Group
function addUsertoGroup(userEmail) {
var userEmail = 'Name#gmail.com'
var groupId = "group-name#googlegroups.com";
var group = GroupsApp.getGroupByEmail(groupId);
// If email is already in group
try { var hasMember = group.hasUser(userEmail);}
catch(e){Logger.log(userEmail+" is already in the group"); return}
var newMember = {email: userEmail, role: "MEMBER"};
// This is the line which is throwing an error
AdminDirectory.Members.insert(newMember, groupId);
When running, I receive an error:
API call to directory.groups.get failed with error: Domain not found.
Any help would be appreciated.
Clarification:
You require a G Suite account to be able to use the AdminDirectory function (or to have the ability to add users to a group via Apps Script.
You can add gmail or any other non-same domain users based on the group setting you configure via https://groups.google.com
Solution:
I have a G Suite account via script.gs and I tested the code that you've shared - its perfect :) Except for the following that you need to enable, from a G Suite account.
Navigate to Resources > Advanced Google Services... and enable Admin Directory API
That's it. I created the group, enabled all settings, made the group accessible to everyone and it worked like a charm.
Let me know if you require any further clarification or assist as well.
Edit notes:
So, this is also what I had to follow to ensure everyone (even folks outside the domain could be added as users), as documented on Set Groups for Business sharing options. When you go to Groups for Business and navigate through the settings, you'd get to enable the following option that's critical -
Obviously, you're free to tweak all the other settings, as required.
You are trying to use the AdminDirectory service, this service will work only for G Suite Admin within a G Suite domain. So you need to have your domain and it will work if you add user from your domain to a group of your domain.
i.e. user#domain.com added to group#domain.com
Based on your sample code you try to add a gmail.com user to a public Google Groups for that you can't use the admin directory API because you are not admin of the domain that manage the public groups.
And in this case, as you did, you can only use the GroupsApp service and this service only allow you to check if user is in the ggroups or what is the role.
=> With GroupsApp service it is impossible to add a user to a public google group.
Stéphane

Modify the signature for all users in my domain

Currently my code only modifies my signature, because when I put the email of the other person in my domain, the error: Not Found (line 9, file "Code") appears.
My current code:
function myFunction() {
var newSignature = Gmail.newSendAs();
newSignature.signature = "signature";
var listEmails = [
"leticia#domain.com"]
var updateSignature = Gmail.Users.Settings.SendAs.update(newSignature, "me", listEmails)
}
I am developing using APPS SCRIPT.
Any suggestions for me to be able to change the signature of someone else in my domain?
To change other people Gmail settings in your domain you'll need to be a domain Admin, then create a service account with domain-wide authority, then whitelist it in the Admin Console. Then use said service account and authentication token generated to authenticate your requests to the Gmail API.
This built-in Apps Script Gmail integration was not made for that use-case. The intended usage is to setup your own settings, or individual users that explicitly authorize your application to run on their behalf. This sendAs is there because one might have multiple Gmail signatures, depending on their selected send-as/from alias.
Note that simply authorizing an script with your GSuite admin account won't allow to the script to perform domain-wide operations. That'd be too dangerous, therefore the somewhat convoluted service-account setup is required.
Link to the relevant documentation

Delegate domain wide authority for a script bound to Google Forms

I want to get and set auto forwarding details for a user in the company domain. My admin made me a delegated admin so that I can fetch user data using AdminDirectory.Users.
However, when I try to fetch auto-forwarding/Label/Filter data for a user using their userID, the following error is thrown :
Delegation denied for some.user#domain.com
This is the line that evoked the error :
var labels = Gmail.Users.Labels.list(user.id);
It seems that this can be carried out by delegating domain-wide authority to a Service Account. However, when I tried the steps highlighted in this link : Link , the page asked me to select a project.
This script doesn't feature in those projects, I am not sure if it is because it is bound to Google Forms.
Any suggestions on how to give the same domain-wide authority privileges to this script?
Please help!!
To create a service account for the Google script:
Start in the Google Script IDE itself and from the menu choose Resources > Developer Console Project...
Click on the link labeled "This script is currently associated with project:" located near the top of the dialog.
From there click Credentials in the left navigation and then Create credentials > Service account key follow the flow to create a service account - for Role, choose Project > Service account actor.
You can then use the private key and client id from the downloaded .json file in your Google Script.
Note: You'll need to:
Get the G Suite domain admin to set up your client_id with the scopes you want. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
Use the Gmail API via UrlFetch because you can't make the Gmail advanced service use a different OAuth token. You can use the OAuth2 library for that and follow this example: https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs
First, make sure that you enable the domain-wide delegation for your service account which is stated in the link that you provide. Because the service account that you created needs to be granted access to the Google Apps domain’s user data that you want to access.
Also in your Apps Script code, go to the Resource -> Advance Google Service, make sure you enable all the Google Service that you use for your application that you create here.
For more information, check these threads:
Perform Google Apps Domain-Wide Delegation of Authority
Delegation Denied for ""
Trouble Implementing OAuth in Google Apps Script (Using Domain-Wide Delegation)