Choose your Google authentication method

Before you install G Suite Password Sync (GSPS) 1.6 or later, you need to choose an authentication method. You can use a service account or 3-legged OAuth. 

We recommend using a service account for authentication. You can use 3-legged OAuth for authentication, but only if you’re using 1 or 2 domain controllers. If you’re installing GSPS from the command line, you must use a service account.

Use a service account to authenticate

A service account belongs to an application rather than a user. The application sends a request to Google APIs on behalf of the service account, so users aren't directly involved in the authentication process. 

Advantages of using a service account

  • Multiple domain administrators can manage and monitor a service account. Therefore, even if an administrator changes, GSPS is unaffected.
  • Service accounts aren't subject to the refresh token limit that applies to 3-legged OAuth.
  • Service account credentials are downloaded as a JSON file and can be used on many domain controllers. You don't need to repeat the authorization process for each domain controller.
  • Service accounts don't require a web browser to authenticate. You can configure GSPS when using Microsoft® Windows® Server Core.

Disadvantages of using a service account

Use 3-legged OAuth to authenticate

With 3-legged OAuth, the application sends a request to Google APIs on behalf of a user. However, unlike a service account, 3-legged OAuth normally requires that each user give the application permission to access their data. For GSPS, the domain administrator performs this step on behalf of all users in the domain during the configuration process. In turn, for GSPS to successfully synchronize user passwords for every user in a domain, the domain’s administrator must authorize GSPS on each domain controller.

Advantages of 3-legged OAuth

  • Using 3-legged OAuth is simple and requires only one setup step

Disadvantages of 3-legged OAuth

  • Domains with multiple domain controllers may exceed the token limit.
  • Domains with multiple domain controllers must authorize each domain controller separately. This can be time-consuming.
  • 3-legged OAuth is tied to a single administrator account. If that account is disabled or deleted, GSPS won't work. 
  • Unlike service accounts, usage can't be monitored via the Google Developers Console.
  • You can't install and configure GSPS using the command line with 3-legged OAuth.

Next steps

After you choose your authentication method, you're ready to set up GSPS. See Set up G Suite Password Sync.

Was this article helpful?
How can we improve it?