How to authenticate users into internal application with Google Apps

I am creating an application within our company that handles all our processing. This will need to implement Google Apps (we have premier).

I'm having a hard time figuring out the best way to authenticate user. I need full access to ALL their information (add, delete, modify [calendars, emails, contacts[, password?]]). I'm wanting to do something along the lines of OAuth so that they don't need to store their password on my server as well as google. As if it's all 1 concurrent login.

I'm using Zend to communicate with Gdata API.

What's the best kind of authentication for my application? What are limitations t开发者_Go百科o this authentication?

Thanks ahead of time.

---

2-legged OAuth allows the trusted applications on the domain to access user data without the user's explicit intervention.

See http://code.google.com/apis/gdata/docs/auth/oauth.html#2LeggedOAuth