Hi,
I'm currently working on an internal web application (and a script or two) to allow our employees to change their password for both Google Apps and our own internal services (which rely on LDAP for authentication -- so each user has one common password across everything). The user will choose their new password from this web app, and the app will, in turn, change the password in Google Apps and other services. Now, to do that on the GApps side, we're looking at using the user provisioning API (if there's a better way we're not aware of, don't hesitate to tell me). However, we're running into the following problems: - Using 2-legged OAuth with the domain's consumer key ( http://code.google.com/apis/gdata/docs/auth/oauth.html#2LeggedOAuth), I can read, but not change, user data. http://support.google.com/a/bin/answer.py?hl=en&answer=162105 does indeed give the https://apps-apis.google.com/a/feeds/user/#readonly scope for read-only user data access (which works fine), but nothing for read/write access (removing the #readonly doesn't work). Is read-write user data access at all possible with 2-legged OAuth, and if so, how? - Assuming 2-legged OAuth isn't possible, our fallback is to use ClientLogin and create a special user with a very specific set of admin privileges: that is, change the passwords of other, non-admin, users (we've found that using ClientLogin, we can't use a normal user's credentials to change that user's own password). However, using the control panel's "Organization & Users > Privileges" screen, the only way of allowing a user (user_a) to change (not reset, force to a specific value) another user's (user_b's) password is to grant user_a super-admin privileges. Which, as you can imagine, we're fairly reluctant to do for a user whose credentials will be used by automated scripts. Is there another way? - http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html#AuthProcess mentions that ClientLogin may respond with a CAPTCHA challenge. Under which conditions does it do that? - Testing shows that the gdata.apps.client.AppsClient.UpdateUser method rejects passwords that are considered too weak (e.g. "aaa") with error code 1402 (InvalidPassword). Is there an API somewhere that allows us to determine whether a password is strong enough without attempting to change it? Thanks for your attention, -- Max -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/zalim9blG6EJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
