How to get a CustomerId (or other primary key) for a Google Apps account?

google-admin-sdk google-apps-marketplace
user3256616 picture user3256616 · Aug 15, 2014 · Viewed 8.4k times · Source

When a user logs on to our Marketplace V2 app, we need to know which Google Apps account the user belongs to.

The id_token contains the 'hd' parameter (the domain name), but that's not enough, as a Google Apps account can have multiple domains.

CustomerId seems like a good primary key to match users to the correct Google Apps account. The problem is, it doesn't seem to be included in the id_token. Is there some way to figure out what the CustomerId of a user is.

The Admin SDK would be one option, but in almost all cases, calls to the Admin SDK fail with "Domain cannot use APIs". I read in a previous answer that Google automatically (re-)enables API access when an administrator installs a Marketplace app, but that can't be true because a call to the Admin SDK hardly ever works.

Does anyone have any suggestions on how to get a customerId or other primary key otherwise, or another trick to get the Admin SDK working (without having to instruct people to change their Google Apps Scurity settings, because that pretty much defeats the point of an effortless Marketplace installation).

Thanks!

Answer

koma picture koma · Aug 15, 2014

To make the Admin SDK work after installation of your Google apps marketplace app, you must :

  • add the admin SDK to your cloud project

  • add the Google Apps marketplace SDK to your cloud project

  • go into the configuration of the marketplace app and add the required admin SDK scope

After installation, your service account will have permission to call the Admin SDK on the domain that installed your marketplace app.

The docs state : To retrieve the customerId, use the Retrieve a user operation.

So you will need at least this scope :

Additonally, you will need to know the email address of a adminstrator at the domain.

On a side note : I believe you can use "my_customer" as a replacement for the customer ID in API calls, at least for the admin SDK.

update : http://googleappsupdates.blogspot.be/2014/09/new-features-in-admin-sdk-custom-user.html Historically, only admins have been able to access the data in the Admin SDK. Beginning today, any user (not just admins) will now be able to call the Directory API to read the profile of any user on the domain (of course, we will respect ACLing settings and profile sharing settings).

Related questions

Google: Permission denied to generate login hint for target domain NOT on localhost

I am trying to create a Google sign-in and getting the error: Permission denied to generate login hint for target domain Before you mark this a duplicate, this is not the same as the question asked at Google sign in …

Read More
How can an Admin access the Google Drive contents of all the users in a particular domain?

I am developing a tool to automate the transfer of ownership of Google Drive documents from one user to another using Admin SDK which is run by the admin. I used the Data transfer API for the ownership transfer. I …

Read More
Google_Service_Directory - (403) Not Authorized to access this resource/api

I have a problem just using an example of actual version of PHP api, and using the "service-account.php" file of examples folder. the original is for show the "Books API", and with my personal credentials configuration it works well, …

Read More