I am developing a Chrome extension that addresses only GMail users who need access to some Google APIs. I use OAuth2 for authentication and authorization.
In order to help Google Apps domain administrators deliver the product to all users in their domain with minimal work, I registered the project with the Google Developers Console and published it (still privately) on the Google Apps Marketplace.
The extension itself has already been published in the Chrome Web Store.
At the same time, domain administrators can from their administrator console:
(a) Go to "Applications> Marketplace Applications" and add our application to all users in the domain.
or
(b) Go to "Applications"> "Device Management"> "Chrome Management"> "User Settings" and add the extension to "Force applications and extensions."
If they (a), users who install the Chrome extension, receive a "one-time single sign-on": after authentication in our application, they will not need to allow any permissions.
If they do (b), users get the Chrome extension automatically installed in the Chrome browser, but they still need to approve permissions after their first authentication.
If administrators perform both (a) and (b), users get the same result as if they only did (b) - that is: users still need to allow permissions.
? : , ?
?