问题
We have a Google Apps Marketplace App (that is also available as a consumer App in the Chrome Webstore).
We are have the following problems with SSO:
1) We are using the following OAuth2 scopes:
openid
profile
email
https://www.googleapis.com/auth/drive.install
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.readonly
in the redirect to
https://accounts.google.com/o/oauth2/auth
3) I cannot enter the scopes
openid
profile
email
into the Google Apps Marketplace SDK console. I used:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
instead (which are deprecated).
We also request
https://www.googleapis.com/auth/cloudprint
there (because we might need it later on)
4) I can install the app as domain administrator and use it normally (without any authorization dialog).
5) When I try to login as a domain user, an authorization dialog appears. How do we prevent this?
6) When the user want to connect a cloud printer to our app, we later request the required scope (which we need for offline use (ie we need a refresh token), because it is used for data coming in over an API interface). Even the domain admin is asked for permission in this case. How do we prevent it?
回答1:
you need to add following scope in the "Google Apps Marketplace SDK" console in addition to the default scope
https://www.googleapis.com/auth/plus.me
click "TEST INSTALL FLOW" if not already installed
Then go to admin.google.com search for your application and open it. Then under Data access provide grant.
Now you can you login to the application with any domain user and it won't ask for consent.
Hope this helps.
回答2:
I think app installed by domain admin doesn't auto-approve offline access yet.
See Google Apps Marketplace SDK + Domain-wide OAuth 2 SSO
来源:https://stackoverflow.com/questions/23512142/apps-marketplace-sso