Google oAuth2 call failing for some schools using Google Apps for Education

Question

We allow authentication using oauth and google. For the vast majority of our clients the code shown works fine. For a few however it fails. The problem is not network related as I can use the user's school supplied google email account to cause the problem then switch to a personal account and not have the issue occur. if the issue does occur it occurs for that whole school which leads me to believe it is setup related in their google account, but no one seems to know the issue. HELP!!!

The problem is in the makeAPICall function, for most users we can access an email after this, but in the problem schools the email is undefined. There is no error being returned however.

  <script type="text/javascript" src="https://apis.google.com/js/api.js" "></script>
    <script type="text/javascript">
      var apiKey = 'MY API KEY';
      var discoveryDocs = ["https://people.googleapis.com/$discovery/rest?version=v1"];
      var clientId = 'MY CLIENT ID';
      var scopes = 'profile';

      function handleClientLoad() {
        // Load the API client and auth2 library
          gapi.load('client:auth2', initClient);
       }

        function initClient() {
        gapi.client.init({
            apiKey: apiKey,
            discoveryDocs: discoveryDocs,
            clientId: clientId,
            scope: scopes,
            'immediate': false
        }).then(function () {
          // Listen for sign-in state changes.
          gapi.auth2.getAuthInstance().isSignedIn.listen(updateSigninStatus);
        });
      }

        function updateSigninStatus(isSignedIn) {
            if (isSignedIn) {
                makeApiCall();
            }
      }

      function handleAuthClick() {
          var isSignedIn = gapi.auth2.getAuthInstance().isSignedIn.get();
          if (isSignedIn) {
              makeApiCall();
        }
          else {
              gapi.auth2.getAuthInstance().signIn();
        }
      }

      function makeApiCall() {
        // Load the API and make an API call.  Display the results on the screen.
    // for most users this loads the api and allows me to access the email address.  
        // for certain schools the email addresss is not returned causing lots of problems

        gapi.client.people.people.get({ 
          'resourceName': 'people/me',
          'requestMask.includeField': 'person.emailAddresses'
        }).then(function (resp) {

        //in the case of the email not being returned, the next line errors
          var email = resp.result.emailAddresses[0].value;
          $.ajax({
        //do some application specific stuff using the email address
            }   
          });
        });
      }
    </script>

    <script type="text/javascript" async defer src="https://apis.google.com/js/api.js" 
      onload="this.onload=function(){};handleClientLoad()" 
      onreadystatechange="if (this.readyState === 'complete') this.onload()">
    </script>

Answer 1

According to the API docs, you should request the email scope too, in addition to profile. In addition to that, you might want to use the OAuth2 API UserInfo method (you'd also need to add the email scope, but it's a simpler API).

Answer 2

After working with one of our clients we discovered that in Google Apps for Education Directory information is protected by default. The district can either open this up to all clients or put in specific rights by client. Once this was adjusted the code shown above works perfectly.

Thanks