Skip to content
Inocula docs

Adding an Application to Domain-Wide Delegation

Adding an Application to Domain-Wide Delegation

This guide provides step-by-step instructions for adding an application to domain-wide delegation in Google Admin. These steps are essential for enabling our application to pull OAuth token reports and revoke staff token sessions across your organization.

Prerequisites

Before you begin, ensure you have:

  • Administrator access to your Google Workspace Admin Console
  • The Client ID of the service account provided by our application
  • A list of required OAuth scopes for the application

Understanding the Process

Adding an application to domain-wide delegation involves:

  1. Creating a service account (already done by our application)
  2. Configuring domain-wide delegation in Google Admin Console
  3. Granting specific OAuth scopes to the service account

Step-by-Step Instructions

1. Access the Google Workspace Admin Console

  1. Navigate to admin.google.com
  2. Sign in with your administrator account

2. Navigate to Security Settings

  1. From the Admin Console dashboard, click on Security
  2. In the Security menu, select API controls

3. Configure Domain-Wide Delegation

  1. In the API Controls section, locate Domain-wide Delegation
  2. Click on Manage Domain Wide Delegation
  3. Click the Add new button

4. Enter Application Details

  1. In the Client ID field, enter the service account’s Client ID provided by our application
    • This is a long numeric string that identifies our service account
  2. In the OAuth Scopes field, enter the following scopes (separated by commas): 
    https://www.googleapis.com/auth/admin.reports.audit.readonly,
    https://www.googleapis.com/auth/admin.reports.usage.readonly,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.user.security
  3. Click Authorize

Understanding the Required Scopes

The OAuth scopes requested provide specific permissions:

  • admin.reports.audit.readonly: Allows reading audit reports, including OAuth token activities
  • admin.reports.usage.readonly: Enables access to usage reports across your domain
  • admin.directory.user.readonly: Provides read-only access to user information
  • admin.directory.user.security: Allows management of user security settings, including token revocation

Verification

To verify that domain-wide delegation has been properly configured:

  1. Return to the Domain-wide Delegation page
  2. Confirm that our application appears in the list with the correct Client ID
  3. Verify that all required scopes are listed

Security Considerations

Do not grant more scopes than these, as these are the only scopes that Inocula currently requires.

Troubleshooting

If you encounter issues during setup:

  • Verify that the Client ID is entered correctly
  • Ensure all scopes are properly formatted and separated by commas
  • Check that your administrator account has sufficient privileges
  • Confirm that API access is enabled in your Google Workspace settings

Next Steps

After configuring domain-wide delegation:

  1. Our application will automatically detect the new permissions
  2. OAuth token reports will begin populating in your dashboard
  3. The ability to revoke staff token sessions will become available

For more information about domain-wide delegation and its implications, see our guide on Domain-Wide Delegation in Google Admin.