×

Please give details of the problem

Docs

Find

Google Apps OAuth

Configure your webservices with Google 2-legged OAuth (OAuth v1)

While OAuth authorization is available to all developers wishing to access the Google Data APIs, Google Apps Premier and Education Edition administrators can enable a special kind of OAuth for their hosted domains, called 2-legged OAuth. Specifically, an access token is not required as per the normal authorization flow, also referred to as 3-legged OAuth. Applications using 2-legged OAuth must be registered with Google.
With Google Apps Premier and Education Edition, administrators can use two-legged OAuth for domain-wide delegation of authority. An application that has the OAuth consumer key and secret (roughly equivalent to a role account username and password) is allowed to act as any user in the domain when accessing Google Data APIs. Unlike three-legged OAuth, users do not need to give consent on an individual basis, as this decision is made on their behalf by the administrator. Administrators can revoke the key, change the secret, and control which APIs accept domain-wide delegation.
For more information about Google 2-legged OAuth, please click here.

Note 1 : This feature is only available to Google Apps Premier and Education Edition domains.
Note 2 : So as to limit the scope of this "powerful" authentication method, RunMyProcess has deliberately limited its action to "P_iniator" of a given process (ie. the user who has launched the process) which means that a given user on RunMyProcess platform cannot perform any actions through 2-legged OAuth Google API in behalf of another one. In other words, "xoauth_requestor_id" parameter of any 2-legged OAuth API request is set by our platform with value ${P_initiator.login} and cannot be set by a process designer since it will be overridden by the platform.

Google Set up
The only configuration you have to perform, to use RunMyProcess with Google 2-legged OAuth, is to modify the set-up of your Google Apps Account.

  • Connect to your Google Account with an administrator profile and click on "Advanced Tools" menu

OpenId Admin

  • Click on "Manage OAuth key and secret for this domain"

Manage OAuth key

  • Check boxes "Enable this consumer key" and "Allow access to all APIs".
  • Note your "OAuth consumer key" (domain name) and your "OAuth consumer secret": they will be needed in your RunMyProcess provider configuration.

2 legged Oauth Provider

  • Go back to "Advanced Tools" menu and click on "Manage third party OAuth Client access"

Manage API client access

  • In the "Client Name" field, add the domain "live.runmyprocess.com" and in "One or More API Scopes" field, add the different feeds (ie. Google Apps modules) for which you want to grant a 2-legged OAuth access for RunMyProcess, then click "Authorize" button.

List of possible feeds :

Google API Scope
Calendar Data API http(s)://www.google.com/calendar/feeds/
Contacts Data API http(s)://www.google.com/m8/feeds/
Documents List Data API http(s)://docs.google.com/feeds/
Finance Data API http(s)://finance.google.com/finance/feeds/
Sites Data API http(s)://sites.google.com/feeds/
Spreadsheets Data API http(s)://spreadsheets.google.com/feeds/
Provisioning API (read only) https://apps-apis.google.com/a/feeds/user/#readonly
https://apps-apis.google.com/a/feeds/group/#readonly
https://apps-apis.google.com/a/feeds/nickname/#readonly
You can verify access has been granted by looking at the Manage OAuth Clients setting page in the control panel at http://www.google.com/a/<domain>/ManageOauthClients.
You MUST use https when registering the scope for the provisioning API
Calendar Resource API (read only, premier only) http(s)://apps-apis.google.com/a/feeds/calendar/resource/#readonly

Note : At any time, you can "remove" 2-legged OAuth access to RunMyProcess.

Now you are ready to use "2 legged OAuth" Google APIs with RunMyProcess!