OAuth Update 4.0.4 or 4.0.5 to 4.1.x
When patching your Google driver from versions 4.0.4 or 4.0.5 to version 4.1.0 (or later), it is necessary to update your OAuth service account and enabled APIs within the Google Developer's console.
Please note that this guide is intended only for use when you have already set up a OAuth service account for use with the Google driver.
Version 4.1.0 and later of the Google driver adds a new API to the list of supported APIs. This API, the Groups Settings service, needs to be enabled and authorized before the driver will connect and run with your Google domain. In essence, all that is necessary to prepare the credential and the domain for version 4.1.0 is to:
- Enable the Groups Settings API
- Authorize the Groups Settings service scope for your service account
Before beginning, you will want to log into the Google administrator console and the Google developers console with a domain admin account. You should use the same account that created the Google Driver's API project when it was set up originally.
Enabling Groups Settings API
TIP: If you have not yet done so, consider adding additional project owners (trusted admin accounts within your domain) from the "Permissions" screen to avoid losing access to the project.
From the developer's console, select the correct project. If you do not know which project to select, find the one where the Service Account EMail address matches the service account email address configuration parameter in the Google Apps driver properties. .
From the project screen, select APIs and search for "groups" in the right search window.
After searching, select Groups Settings from the list of returned APIs.
Click the Enable button.
This will enable the Groups Settings API.
Next, navigate to the Credentials section. It is necessary to note the service account ID to perform the next step. Click on credentials.
Note the Service account Client ID and Email address. These values are both important. Copy and paste the client ID string into a text document for handy reference. Also, if you are unsure as to whether or not this API project is the correct one to be updating or whether or not this is the correct service account, the Service Account Email address shown above will match the one in your Google driver, as shown below (from iManager).
The two highlighted values are the same. This confirms that you are on the correct project with the correct service account.
With the Service Account client ID copied into a text document, it is time to authorize the Groups Settings API.
Authorizing Groups Settings API
From your Google Admin Console, Select the Security console.
Scroll down, if necessary and select "Show more"
Select "Advanced Settings"
From the Authentication Section, select "Manage API client access"
The next screen shows all the pre-authorized client accounts. Scroll and find the Client ID we selected earlier from the developer's console. Note how the client ID matches in the admin console (background) and developer's console (foreground).
Google doesn't allow us to add a new scope to the list of authorized scopes. To update the scope list, to add the groups settings scope (which is https://www.googleapis.com/auth/apps.groups.settings), we have to remove the existing authorization and add it back with an updated scopes list. The updated scopes list is provided with the 4.1.0 patch as a text file called DirectoryScopes.txt. You may also get it here (right-click and save it).
From the list, remove the service account authorization we identified previously. The remove link is on the far right.
Scroll back to the top of the screen. Paste the Client ID of the service account into the field marked "Client Name". Copy and paste all the scopes from the DirectoryScopes.txt file into the field marked "One or More API Scopes" then click "Authorize".
Once this step is complete, the API project and service account have been updated to include the Groups Settings service and will work properly with the 4.1.0 Google Apps driver.
Related articles