How can I get read-only access to the Google Apps Profiles API?

Question

I have an application which wants to provide customization for users once they log in. Simple things like displaying a profile image and job title. This information is available in the Google Apps Profiles API, but the domain-admins are concerned about overreach with the scope. In particular, they don't want to approve the application if it has write access when it isn't needed.

The regular scope (with read/write) for the API according to the API Documentation is https://www.google.com/m8/feeds/profiles and I have tried all of the following with no luck

• https://www.google.com/m8/feeds/profiles.readonly
• https://www.google.com/m8/feeds/profiles.read
• https://www.google.com/m8/feeds/profiles/#readonly
• https://www.google.com/m8/feeds.readonly
• https://www.google.com/m8/feeds.read
• https://www.google.com/m8/feeds/#readonly

What scope can I specify in order to get read-only access to the Profile data? If I'm barking up the wrong tree entirely, where should I be looking?

Answer 1

You need the user account under whose credentials the code is running to be either:

• super admin or

• to be listed under CPanel > Domain Settings > Admin Roles > [...put it in a created/user role...] > "Provisioning APIs" > Users - create/update/read/delete (as required, ticked ON). For example, for read only access to the Profiles API, set it there to 'read'.

Answer 2

I wrestled with this myself. I was not able to get this to work either.

Answer 3

Any non-admin user can access the GAL programmatically, see:

https://github.com/google/gfw-deployments/blob/master/apps/shell/gal/gal_feed.sh

I don't believe this api call is documented or supported officially. Note that the Global Address List is a compilation of user profiles, groups and shared contacts. If you don't want to see groups and shared contacts you'll need to figure out how to parse them out.