Can I trust Folgo with Domain Wide Delegation?
Granting domain-wide delegation to Folgo means whitelisting a Service Account that will be used by Folgo to impersonate domain users. The security of this Service Account guarantees that the operations are only performed via Folgo by authorized users, preventing any external unauthorized actions or misuse of credentials outside Folgo.
From Google:
Domain-wide delegation is a powerful feature that allows apps to access users' data across your organization's Google Workspace environment. For this reason, only super admins can manage domain-wide delegation, and they must specify each API scope that the app can access. [...] Once activated, the app has access to data owned by all your users.
Ensuring Service Account Security
- Folgo only uses the default Service Account created by Google for Google App Engine, avoiding User-managed service accounts.
- This default service account has no keys associated with it and thus no security risk associated with Service account private keys.
Only Folgo’s App Engine web service can use the Service account whitelisted for domain-wide delegation. And only Folgo can contact this Web Service. There are no secret keys stored somewhere that could be used outside of this web service and all our Google Cloud Platform resources have been audited under CASA Tier 3.
Architecture - how does our web service work with Folgo?
Folgo is a Google Workspace add-on primarily built on Google Apps Script. All calls to the Google Drive API happen within Google Apps Script.
In the case of Domain-wide delegation, an additional Web Service on Google App Engine is used specifically to grant short-lived access tokens to authorized users. This Web Service and the Google Apps Script project for Folgo are parts of the same Google Cloud Platform project.
When an authorized user wants to perform an admin task inside Folgo using domain-wide delegation:
- A request is sent to the Web Service and authenticated using the user’s Google Apps Script access token.
- This access token is validated on the Web Service side using Google token info endpoint, to ensure that the request comes from Folgo and to confirm the identity of the requestor.
- The Web Service queries our database (Firebase) to retrieve the email address(es) of the Google Groups of users who can impersonate other users on the selected domain
- Using the Google Groups API, the Web Service verifies if the requester (identified via the sent Google Apps Script access token) is a member of the Google Group.
- If validated, the Web Service returns to Google Apps Script a valid access token to perform operations inside Folgo as the desired user.
Folgo's CASA Tier 3 Security Assessment
Google has recognized Folgo under the "Recommended for Google Workspace" program.
From Google:
Recommended for Google Workspace apps must meet the highest standards of integration and security requirements. If accepted into the program, your app must receive Tier 3 of the Cloud Application Security Assessment (CASA).
Get your app featured in the Google Workspace Marketplace
A third-party authorized lab has performed the CASA Tier 3 assessment for Folgo.
During the assessment, Folgo and its infrastructure have been evaluated on 73 integrations and security requirements, including but not limited to access control, architecture, threat modeling, data protection, and error handling.