I previously released
userDelegation as a script for Sheets.
But then the user, which didn't (still doesn't) have to be an admin (at all!), could read/copy the service account credentials used to accomplish this. Even though the scopes are fairly limited, that would still give that user unnecessary access.
Re-coded and deployed as a web app, those secrets are now hidden, and only available to the admin managing the
userDelegation project. This admin, by the way, also doesn't have to be a superadmin.
Only the person adding the service account client_id to Domain Wide Delegation has to be superadmin.
My recommendation is to deploy
userDelegation with unique service account credentials for each delegation manager (remember, the manager doesn't need
any admin access at all), and create a
new deployment for each, so they also get their own unique URL.
That way each user can be identified in the OAuth Audit Log, since it will log the individual service account as taking the listed action.
There are also two built-in security checks.
It checks that the user accessing the web app is the one you have set in the code.
You can also require a password, also hardcoded.
The password check can easily be removed, but I strongly advise against removing the user check.
Re-deploying the userDelegation web app to a second or more managers is much easier than setting it up from scratch, so there's a short guide for just that.