Google Apps Marketplace SDK + Domain-wide OAuth 2 SSO

We've been working on an Google Apps-app meant to be installed by a domain administrator. We initially tried to list it via the (now deprecated) market listing, but all new submissions must now go through the Google Apps Marketplace SDK.

We're having an issue with the new GAM SDK SSO however - despite having installed it on our domain internally, each user is prompted via the consent screen when sending them to the OAuth login url. The OAuth url is asking for the same permission scope as is registered in the GAM SDK configuration screen.

The docs seem to be entirely conflicting on how to pull off non-challenged SSO for apps installed by the GA admin.

What url, with what params, we should be sending users to authenticate with GA without being asked for (presumably already granted) consent?

Solution 1:

Can you share the code with which you are asking for authorization?

9 out of 10 times, if each user in the domain is getting prompted, that is because you are asking for "offline" access. Domain wide authorization cannot be done for offline access. In Python for instance, you can do that like this -

constructor_kwargs = {
    'redirect_uri': GOOGLE_AUTH_CALLBACK_URL,
    'auth_uri': client_info['auth_uri'],
    'token_uri': client_info['token_uri'],
    'access_type' : 'online'
}

flow = OAuth2WebServerFlow(client_info['client_id'], 
               client_info['client_secret'],
                   SCOPES, **constructor_kwargs)