Impersonate the current user when making a Google API call using a service account and delegate authority

There is a marketplace requirement that if a Google Apps for Work domain administrator installs our application for their domain, the administrator and any users from their domain should then not see the autof screen when accessing our application. The act of installing an application for a domain must explicitly delegate domain authority to the service account associated with our application.

To achieve this behavior, I am trying to delegate the service account to run on behalf of, AKA, impersonating the current user.

The code snippet below shows the various attempts I have made to get this to work. The only thing that works is to pass the domain superuser email address as a "helper" parameter (AKA prn) when creating the JWT. However, this significantly increases the regular running of mill domain user privileges for superuser users, which is not the desired effect.

var client = new googleapis.auth.JWT(
    '<serviceaccount>@developer.gserviceaccount.com',
    'localhost.pem',
    null,
    ["https://www.googleapis.com/auth/admin.directory.user.readonly"],
    //  null - // 403 not auth
    // {'userId' : 'domainsuperuser@email.com'} // 403 not auth
    // {'userId' : 'me'} // 403 not auth
    // "domainsuperuser@email.com" // works!
    // "{domainsuperuser@email.com}" // not a valid email error
    // 'me' // invalid impersonation prn email address
  );

      

        
        
        
      

    

Does Google mean any other identifier other than just the email address of the person you want to give out, like the special value "me"?

It looks like we are facing a chicken and egg problem. Basically, we don't want to hardcode the email address (especially not the admin email), so we feel like we should make an API call. But we cannot make an API call without impersonating the user.