Hi Max, In 3-legged OAuth user have to visit the authorization URL to grant access to the application and have to be logged in as admin.
When your application is an interactive script, then you can have the script to print the URL that you can visit and authorize. In this case redirection will not occur but you will manually paste the URL in your browser. Refer to this sample<http://code.google.com/p/gdata-python-client/source/browse/samples/apps/provisioning_oauth2_example.py> in Python that uses OAuth 2.0 for a desktop application (not a web application). In this application, user is given the authorization URL to visit. This article<http://code.google.com/googleapps/domain/articles/provisioningoauth2console.html>explains steps for using OAuth with the Provisioning API. As 3-legged authorization requires the admin to authorize, the users wont be able to authorize to change their passwords. That is why, I recommended using Apps Script. You can get the new password from your application and save it in a Google Spreadsheet in the admin's account. If you have an Apps Script associated with spreadsheet, then you can trigger the script every time the content of spreadsheet changes so that script updates the password of the user. If you dont want to go for Apps Script, then you can get the new passwords from the users and save them. Later run the script from your account to update the passwords. But this will not result in immediate change when the new password is given by the user to your application but will change when you run the script on the saved passwords from your end. Thank you, Shraddha Gupta Developer Programs Engineer Hyderabad, Google India. On Wed, Jan 18, 2012 at 9:27 PM, Max Noel <[email protected]> wrote: > On Wednesday, January 18, 2012 7:07:43 AM UTC-5, Shraddha Gupta wrote: >> >> Hello Max, >> >> You are right that User Provisioning API is used to update the password >> for the users in the Google Apps domain. >> >> Lets go through your problems one by one: >> >> - Only read access is possible by 2-legged OAuth in the Provisioning >> API. >> >> >> - You don't need to use ClientLogin. Infact, we recommend not to use >> ClientLogin. >> >> Please use 3-legged OAuth with the Provisioning API. But then >> you will require to get the new passwords and save them before you run a >> script to update passwords from your end. >> As 3-legged OAuth requires the admin to authorize the request, >> the script must be executed by the admin as it requires admin to be logged >> in. >> > > > I see. However, > http://code.google.com/apis/gdata/docs/auth/oauth.html#Examples says that > "To authorize a request token, your application must redirect the user to > the > OAuthAuthorizeToken<http://code.google.com/apis/accounts/docs/OAuth_ref.html#GetAuth> > URL, > which prompts them to log into their Google account." (the user being, in > this case, an admin -- right?). > > I see two issues with this: > > - How do I do that when the program that's running is not a webapp, > but a barely interactive script? > - On the webapp side, it's not an admin performing the password change > operation. It's the users themselves, without admins being involved -- it's > a simple "change my password" link. Wouldn't three-legged OAuth require > them to sign in to an admin's account in order to perform the change? Or is > there something I don't understand properly? > > > > >> >> - CAPTCHA challenge usually occurs in ClientLogin if you authorize >> the service multiple times. Authorize the service just once and use the >> authorized service in all your methods. >> >> >> - The passwords must be a minimum of 8 characters in length and >> maximum 100. The Limits >> section<http://code.google.com/googleapps/domain/provisioning_API_v2_developers_guide.html#Limits>of >> the Provisioning API Developers Guide lists these limits. In your >> application, you can add a precondition for the passwords entered and only >> accept the correct length passwords. >> >> > Great, thanks! > > -- Max > > -- > You received this message because you are subscribed to the Google Groups > "Google Apps Domain Information and Management APIs" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-apps-mgmt-apis/-/LYbYC5l2HM8J. > > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-apps-mgmt-apis?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
