2f1d7 (2f1d7) asked a question.
I'm currently in the process of building out an offboarding Workflow for my company and wanted to use other Google Services outside of the GWS Connector already existing within Workflows. Originally, I believed the Custom API Action card within the GWS Connector to be all that I needed, but whenever I called another Google API, it always came back with a "404 Not Found". Upon looking further, it would seem the GWS Connector within Workflows only seems to be scoped out to either these scopes:
Any URI commands to anything outside of these scopes would always come back with a 404 error, as the custom API action card keeps attempting to append the "https://www.googleapis.com/auth/admin.directory.*" on the end. I've tried without adding the "https://" and starting with a "/v1/*", "/auth/*", and the same but without the forward slash at the beginning, all to no joy.
This brings me to believing that the current GWS Connector within Workflows may not be properly scoped out to reach these Google APIs. To preface, I've already got into the Oauth account within Google, the one Workflows is using to authenticate, to allow the additional scopes I'm looking to reach but it didn't seem to make much of a difference.
I attempted to create a Custom API Connector for Workflows, but I cannot figure out where I can obtain these items in order to make my one Oauth account in Google correctly talk with workflows:
- Authorize Path
- Access Token Path
- Scope (although I believe this is referring to the Google Scopes, but not sure)
At this point in time, I do not know if I'm going down a rabbit hole or if I'm using the proper methods so I can access other Google Services outside of the Google Workspace and Email connectors Workflows already provides. If the current connectors can already communicate to additional scopes outside of the Admin Console, I'd be more than happy to review my steps.
I'm hoping someone has come around this issue within making a Custom API Connector within Google's API services and could enlighten me to finding a solution for my needs.
Hello @2f1d7 (2f1d7)
This response is likely to rival the length of your initial post so bear with me.
Workflows Custom API Action (CAPIA) is a feature on "Connector" cards that assumes a relative URL. This is programmatically implemented for all of these types of cards and is intended to simplify the process & in some instance dynamically handle the domain portion (Some API's are based off your service domain). For example the Google Workspace CAPIA automatically specifies the following path:
Meaning if you wanted to take an action against users the "relative path" would be:
This also means you cannot hit any endpoints that are /admin/somethingElse or .com/somethingElse. They have to be endpoints reachable by adding to the existing assumed portion.
For your scenario you are likely going to need to leverage the API Connector (RAW) with a "No Authentication" Connection created, and selected. This will allow you to make RAW calls to an endpoint and you will just need to read the API documentation and buildout the request requirements yourself.
Support has built a template to help orchestrate this as it does come up periodically. The basic requirements for usage are as follows:
The ability to access specific endpoints for Google is a bit convoluted because it is essentially 2 completely different infrastructures involved (Workspace and GCP). You not only have to leverage the correct Scope(s) for access the specific API's must also be turned on. Furthermore if they are endpoints that require Domain Wide Delegation (Transfer of ownership features, email forwarding, and many others) the above process will not work. This is a far more convoluted / (possibly needlessly) complex process and I would recommend opening a case with Support if you need to go down this rabbit hole.
GoogleRefreshAccessTokenV2_0