Google Calendar API: No event details due to service account access role

Question

I'm using a Google service account to authorize my app to the Calendar API to read calendar event data to determine if a user is busy or not. The problem is that because the accessRole of the service account is 'freeBusyReader', the API does not return the eventType parameter, which I need to process the business logic.

One thing I had to do was have users share their calendar with the service account, and I notice that in the sharing settings, only the 'See only free/busy' option is selectable, the rest are not. I can't select the 'See all event details' option which I believe would let me see the parameters I need from the API.

What are my options to move forward here? Ideally I don't want to have a Google Admin apply any calendar sharing options org-wide, so is there something I can change on the service account perhaps?

I really only need the eventType parameter from the API, but I believe it's because of the sharing/access role settings that I can't see it.

Answer 1

Given the constraint that you do not want a Google Admin to apply calendar sharing options organization-wide, and considering the limitations you are facing with the service account's access role, I could see two options within these constraints:

1. Investigate service account delegation

   See if domain-wide delegation for the service account is feasible. That is a feature in Google Workspace that allows a service account to impersonate users in your domain.

   With this, the service account could access calendar details as if it were the user, bypassing the need for individual calendar sharing settings. However, this still might require some level of admin setup, but it is more targeted than changing sharing options org-wide.

2. Or: Use OAuth 2.0 with user consent

   Implementing an OAuth 2.0 flow for individual user consent remains another option. That approach does not rely on service accounts or admin-level changes.

   Each user would grant your application permission to access their calendar details, including the eventType parameter. That method is more user-centric.
   See "Using OAuth 2.0 to Access Google APIs":

   • Use Google's documentation to set up OAuth 2.0 in your application.
   • Redirect users to Google's OAuth 2.0 server for consent.
   • Handle the response and exchange the code for tokens.
   • Use the access token to call the Google Calendar API to access the eventType parameter and other details.

---

The OP Arin Zandbergen points out in the comments to "Using OAuth 2.0 for Server to Server Application / Preparing to make a delegated API call"

I had already enabled domain-wide delegation and so, since I'm creating the JWT and HTTP request manually, I needed to add a 'sub' parameter to the JWT which contained the email ID of the user I want to impersonate.
Once that was done, I was getting the parameters I needed.

True: With domain-wide delegation enabled, the service account can act on behalf of users in the Google Workspace domain.
When creating the JSON Web Token (JWT) for authentication, include a 'sub' (subject) field in the JWT payload. That 'sub' field should contain the email ID of the user you want to impersonate. By doing this, the service account can perform actions as if it were the impersonated user, thereby gaining access to detailed calendar information.

With the JWT set up correctly, you can then use it to authenticate HTTP requests to the Google Calendar API. That approach allows you to access the eventType parameter and other detailed information as the impersonated user.

+-------------------------+
|  Google Service         |
|  Account with           |
|  Domain-Wide Delegation |
|                         |
|  +-------------------+  |
|  | JWT with 'sub'    |  |
|  | for User          |  |
|  | Impersonation     |  |
|  +-------------------+  |
+-------------------------+
            |
            | Impersonating User
            v
+-------------------------+
|  User's Calendar        |
|                         |
|  - Full Event Details   |
|  - eventType Access     |
+-------------------------+