How to get access token for Google APIs without a browser redirection

Question

I wanted to provision users to a Google. Hence i have following Google admin sdk to achieve that.

But requesting authorization for APIs i don't have ability to do a browser redirect and ask for login and consent directly from user.

What I wanted to have is, the when admin create a new user that user should be created using company's IdP and that IdP would take caring creating a google account for new user too.

I have followed this which explains different scenarios to get access token, but i have noticed there airn't any scenario which is similar to password\resource_owner grant type which is match for my case.

Is there a way I can get access token for without a browser redirection? Or is there any workaround? (Google Apps Directory Sync isn't a solution since it's support ldap only, but i'm looking to create like that for our IdP)

Thanks in advance.

Answer 1

Would a service account work for your case? With a service account, you can impersonate the super administrator who has all the rights to Admin SDK. Since it is a 2LO, it won't redirect and ask your admin for access. (note: the initial set up will require the super admin to grant OAuth access specifically for the service account in the Admin Console. But it is only one time thing)

The Drive API documentation has a really good example on how to use service account to impersonate users. It has steps by steps on how to create a service account, and it also includes multiple code samples. The only thing is you would have to change the scope to Admin SDK from Drive API.

https://developers.google.com/drive/web/delegation