G Suite Driver 4.2 OAuth Update

Updating OAuth Authorizations for the 4.1.3.x release and later

The G Suite IDM connector (Google Driver) release version 4.2 requires updates to the authorized scopes and enabled APIs for your service account to work properly.

Summary

The 4.1.3.1 and later releases add administrative role management features to user objects. This requires that the role management API scope be authorized for your service account. Also, to prepare for future releases, additional scopes and an API must be enabled.
Scopes to be added:


The Gmail API needs to be enabled in your developer console (the project from which the service account the driver uses was created).

Adding the Scopes

In the release files, there is a text file called "DirectoryScopes.txt." This file contains a comma-separated list of scopes required by the G Suite IDM connector. Please note that this file is updated from previous releases. Please ensure that you are using the most current version which contains the additional scopes mentioned above. A full list of scopes can be found at the end of this document.

NOTE:    Google frequently updates the user interfaces of their web consoles. Your screens may differ from the ones shown in this guide. 


Log into the admin console of your domain at https://admin.google.com.


Select the Security icon.


Navigate to Advanced Settings and select "Manage API client access."


Find your service account authorization. Copy the client name (circled above) into a text document. Remove the authorization.


NOTE:    if you cannot find your service account authorization, see the documentation on setting up OAuth access and find the section on creating and authorizing the service account. Those steps will allow you to find the client ID value for your service account, which is the displayed value in this interface.


Re-add the authorization with the updated scopes list. To do this, paste the client name from the previous step into the Client Name box. Copy the scope list from the DirectoryScopes.txt file and paste it into the "one or more API scopes" box, then click Authorize.

IMPORTANT:    Be aware that the scope list MUST be in plain text. Copy/paste from a web page or document will include unwelcome meta data and may result in a non-functional system.

Enabling Gmail API

Log into your developer console at https://console.developers.google.com.


Select the project you created when originally authorizing the G Suite IDM connector. Select "Library" on the left menu.


Search for Gmail API.




Select the Gmail API and enable the API.

Authorized Scope List

This is the complete authorized scope list as of this release. Do not copy and paste this list. Download the scopes file from here


https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.user.alias, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/admin.directory.userschema, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email, http://www.google.com/m8/feeds, https://www.googleapis.com/auth/contacts.readonly, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/gmail.settings.basic, https://www.googleapis.com/auth/gmail.settings.sharing, https://www.googleapis.com/auth/gmail.labels