1) Create a “service account” and give it access to the Admin SDK scope
2) Authorize this “service account” to access all user information
Perform Google Apps Domain-Wide Delegation of Authority
Contents Create the service account and its credentials Delegate domain-wide authority to your service account Instantiate an Admin SDK Directory service object Next steps In enterprise applications you may want to programmatically access a user's data without any manual authorization on their part. In Google Apps domains, the domain administrator can grant third-party applications with domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
Create the service account and its credentials
You need to create a service account and its credentials. During this procedure you need to gather information that will be used later for the Google Apps domain-wide delegation of authority and in your code to authorize with your service account. The three items you need are your service account’s:
Client ID. Private key file. Email address. To get started using Admin SDK, you need to first create or select a project in the Google Developers Console and enable the API. Using this link guides you through the process and activates the Admin SDK automatically.
Alternatively, you can activate the Admin SDK yourself in the Developers Console by doing the following:
Go to the Google Developers Console. Select a project, or create a new one. In the sidebar on the left, expand APIs & auth. Next, click APIs. Select the Enabled APIs link in the API section to see a list of all your enabled APIs. Make sure that the Admin SDK is on the list of enabled APIs. If you have not enabled it, select the API from the list of APIs, then select the Enable API button for the API. In the sidebar on the left, select Credentials. In either case, you end up on the Credentials page and can create your project's credentials from here.
To set up a new service account, do the following:
Under the OAuth heading, select Create new Client ID. When prompted, select Service Account and click Create Client ID. A dialog box appears. To proceed, click Okay, got it. Your new Public/Private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely. The Console shows your private key's password only at this initial moment of service account creation–the password will not be shown again. You now have Generate New JSON Key and Generate New P12 Key options, and the ability to delete.
From the Credentials page, click Create new Client ID under the OAuth heading to create your OAuth 2.0 credentials.
Next, select your Client ID type.
You should now have gathered your service account's Private Key file, Client ID and email address. You are ready to delegate domain-wide authority to your service account.
Delegate domain-wide authority to your service account
The service account that you created needs to be granted access to the Google Apps domain’s user data that you want to access. The following tasks have to be performed by an administrator of the Google Apps domain:
Go to your Google Apps domain’s Admin console. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. Select Advanced settings from the list of options. Select Manage third party OAuth Client access in the Authentication section. In the Client name field enter the service account's Client ID. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to Users and Groups enter: www.googleapis.com/auth/admin.directory.user, www.googleapis.com/auth/admin.directory.group Click the Authorize button.