How to get Google profile info including custom fields from an Apps Domain user?

Question

Using the user.profile and user.email scope and the /oauth2/v2/userinfo feed doesn\'t seem to return any custom fields (in my case Department) or phone numbers. These fields

Answer 1

I have used the following approach with TwoLeggedOAuthHmacToken: Consumer key and secret can be found in google apps admin dashboard

CONSUMER_KEY = 'domain.com'
CONSUMER_SECRET = 'secret_key'


class ContactClient():
    def __init__(self, username):
        # Contacts Data API Example ====================================================
        self.requestor_id = username + '@' + CONSUMER_KEY
        self.two_legged_oauth_token = gdata.gauth.TwoLeggedOAuthHmacToken(
            CONSUMER_KEY, CONSUMER_SECRET, self.requestor_id)

        self.contacts_client = gdata.contacts.client.ContactsClient(source=SOURCE_APP_NAME)
        self.contacts_client.auth_token = self.two_legged_oauth_token

    def newuser(self, username):
        self.contacts_client.auth_token.requestor_id = username + '@' + CONSUMER_KEY

    def getContacts(self, username=None):
        if username:
            self.newuser(username)
        return self.contacts_client.GetContacts()


class MainPage(webapp2.RequestHandler):
    def get(self):
        contacts = ContactClient(username='username')
        feed = contacts.getContacts()
        output = ""
        if feed:
              for entry in feed.entry:
                if entry.title and entry.title.text:
                    output += entry.title.text + "<br/>"
                for email in entry.email:
                    if email.primary and email.primary == 'true':
                        output += '&nbsp;%s<br/>' % (email.address)
        self.response.headers['Content-Type'] = 'text/html'
        self.response.write('''<h1>Contact Access via GData Client</h1>''' + output)

Answer 2

I would utilize the Google Apps Profiles API to do this. It'll give you a bunch of meta information, including profile data and even profile photos: https://developers.google.com/google-apps/profiles/

Even if you're using PIV/CAC/SAML, you will be able to auth using Two-Legged-OAuth. https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth

Two-legged-oauth is the path of least resistance, but you should also take a look at OAuth2, especially the JWT-signed service accounts portion -- however, it can be a little tricky to get working with the older GData xml apis.

As far as fields available go, you'll have to work with the ones on this page. There are extended properties where you add in arbitrary data, but they don't show up in the Contacts browser with Google Mail itself: https://developers.google.com/gdata/docs/2.0/elements#gdProfileKind

On a sidenote, if you're in an LDAP environment (and since you mentioned CAC, I think you probably are), you should take a look at Google Apps Directory Sync, which can synchronize that profile data with your local AD/LDAP.

source: I deployed Google Apps to large organizations (3000+), public and private.

Answer 3

Any non-admin user can access the GAL programmatically, see:

https://github.com/google/gfw-deployments/blob/master/apps/shell/gal/gal_feed.sh

I don't believe this API call is documented or supported officially but it works even with OAuth authentication rather than the example's ClientLogin (tested on the OAuth 2.0 playground with a non-admin user and the standard https://www.google.com/m8/feeds/ Contacts scope).

Note that the Global Address List is a compilation of user profiles, groups and shared contacts. You'll need to parse it out to find the user(s) you wish to get department information for.