The brilliant documentation added in PR #29 back in October 2015 added these really useful lines:
As explained in the Google documentation about Domain-Wide delegation of authority:
Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API.
You can see us doing that with createDelegated() here (delegating to c____.a_____@guardian.co.uk):
|
val credentials = serviceAccountCredentials |
|
.createDelegated(impersonatedUser) |
|
.createScoped(DirectoryScopes.ADMIN_DIRECTORY_GROUP_READONLY) |
...but is delegation/impersonation still necessary?
https://github.com/guardian/pan-domain-authentication/blob/0854755c6093f95a731e697b558813b5c51623de/pan-domain-auth-core/src/main/scala/com/gu/pandomainauth/service/Google2FAGroupChecker.scala#L24-L30
The brilliant documentation added in PR #29 back in October 2015 added these really useful lines:
You can see us doing that with
createDelegated()here (delegating to c____.a_____@guardian.co.uk):play-googleauth/play-v27/src/main/scala/com/gu/googleauth/groups.scala
Lines 71 to 73 in 60bcc8c
...but is delegation/impersonation still necessary?
https://github.com/guardian/pan-domain-authentication/blob/0854755c6093f95a731e697b558813b5c51623de/pan-domain-auth-core/src/main/scala/com/gu/pandomainauth/service/Google2FAGroupChecker.scala#L24-L30