Generating OAuth 2.0 Authentication Credentials

The Google Workspace connector uses the OAuth 2.0 protocol for authentication and authorization of the Google Workspace APIs. It supports the following OAuth 2.0 scenarios:

Client Credentials (OAuth 2.0 for Web Server Applications)
Service Account (OAuth 2.0 for Server to Server Applications)

Client Credentials

This section describes the procedures for generating the Client ID, Client Secret, and Refresh Token.

Note
When generating the credentials (client and service account), complete the procedures by using a Google Workspace User who has permission to generate refresh tokens and has the required Roles/IAM Roles to manage Google Workspace and CGP data as mentioned in the Prerequisites, Required Roles for Google Workspace and GCP Management section.

Generate Client ID and Client Secret

Go to the Google Cloud Platform > APIs & Services > Credentials page: Google Cloud Platform.
From the project dropdown list, select an existing project or create a new one.
On the Credentials page, select Create Credentials >OAuth Client ID.
If the Consent page is displayed, select the application type as Internal and enter the application name and save it.
Under Application type, select Web application.
Enter the Application Name.
Under Authorized redirect URLs, add a line with the following:
Copy
```
https://developers.google.com/oauthplayground
```
Select Create.
On the page that displays, take note of the Client ID and Client Secret. These are required to generate the refresh token.

Generate Refresh Token

Note
You must generate the Client ID and Client Secret before generating the refresh token.

Go to the OAuth2 Playground.
Select the gear icon in the upper right corner and select the Use your own OAuth credentials checkbox (if it is not already selected).

Ensure that OAuth Flow is set to Server-side and Access type is set to Offline. This ensures that you get a refresh token and an access token.
Enter the OAuth2 client ID and OAuth2 client secret you obtained from the Client ID and Client Secret procedure.

In the section labeled Step 1 - Select & authorize APIs, enter the scopes as required in the text box at the bottom. To add more than one scope, use a comma (,) as a separator.

Scope	Purpose
https://www.googleapis.com/auth/admin.directory.group	Group Provisioning
https://www.googleapis.com/auth/admin.directory.user	User Provisioning
https://www.googleapis.com/auth/apps.groups.settings	Group Settings API
https://www.googleapis.com/auth/admin.reports.audit.readonly	For Account and Group Delta Aggregation
https://www.googleapis.com/auth/admin.datatransfer	For Data transfer before deletion of Account
https://www.googleapis.com/auth/admin.directory.rolemanagement	For all roles management operations, including creating roles and role assignments
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly	For getting and listing roles, privileges, and role assignments
https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/iam	To Access GCP related data
https://www.googleapis.com/auth/admin.directory.domain	To manage domain as Account type in GCP

On prompt, log in to the account that you want to grant access to and authorize.

Note

If the following error message is displayed, select the back button and try selecting Authorize APIs again:

redirect_uri_mismatch, it's possible the changes you made haven't yet propagated
Select Allow to continue. In the Step 2 - Exchange authorization code for tokens tab, the Authorization code is displayed.
Select Exchange authorization code for tokens.
The Refresh token and Access token fields are displayed. Copy the Refresh Token into the configuration file for the client library along with the Client ID and Client Secret.

Service Account

A service account is an account that belongs to the application. Create a service account for the project in the API console and delegate domain-wide access to the service account. Now add the required scopes in admin console against the service account Client ID.

Create service account and generate private key

Log in to Google Cloud Platform console using a user who has the required permissions to generate the private key and to manage Google Workpace/GCP data.
In the Google Cloud Platform console, go to Service Accounts.
Select an existing project or create a new one. For example, Project-Service Account.
Select CREATE SERVICE ACCOUNT and add a Name and Description for the service account.
Select DONE.
In the Filter table, select the email address of the newly created service account.
Expand MANAGE DOMAIN WIDE DELEGATION.
To generate the private key go to the KEYS tab, select ADD KEY > Create new key, and then select the key type as JSON.
Select CREATE.
The private key is downloaded to the computer in the JSON format.
Select CLOSE.

Add scopes to the service account

Sign in to your Google Admin console as a Super Admin User.
From the Admin console Home page, go to Menu > Security > API controls.
Select MANAGE DOMAIN WIDE DELEGATION.
Select Add new and enter your service account client ID.

You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account (For example: "client_id":"102996919678308170059") or in the Google Cloud Console (go to IAM & Admin > Service accounts > your service account).

In OAuth Scopes, enter the scopes as required. To add more than one scope, use a comma (,) as a separator.

Scope	Purpose
https://www.googleapis.com/auth/admin.directory.group	Group Provisioning
https://www.googleapis.com/auth/admin.directory.user	User Provisioning
https://www.googleapis.com/auth/apps.groups.settings	Group Settings API
https://www.googleapis.com/auth/admin.reports.audit.readonly	For Account and Group Delta Aggregation
https://www.googleapis.com/auth/admin.datatransfer	For Data transfer before deletion of Account
https://www.googleapis.com/auth/admin.directory.rolemanagement	For all roles management operations, including creating roles and role assignments
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly	For getting and listing roles, privileges, and role assignments
https://www.googleapis.com/auth/gmail.settings.sharing	For Gmail API - Provisioning
https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/iam	For Gmail API - To Access GCP related data
https://www.googleapis.com/auth/gmail.settings.basic https://mail.google.com/ https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.readonly	For Gmail API - Aggregation
https://www.googleapis.com/auth/admin.directory.domain	For Gmail API - To manage domain as account type in GCP

Select Authorize.

Note
If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.
Select the new Client ID, select View details, and make sure every scope is listed.
If a scope is not listed, select Edit, enter the missing scope, and select Authorize. You can't edit the client ID.
The app should be available for use within minutes, but can take up to 24 hours.

Convert Service Account Private Key to RSA format

Open the JSON file (downloaded in the Create service account and generate private key procedure) for the service account and copy the private key value into the new file.

For example:

Copy

1
-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAm/9T1/yBO2Z\nCCUn9xJbaoFloMUQcQyc7Xd2snXeKSWXGNMmHFPOMTXT4KNCMsxfGPXeHixYcgpu\nPGok/bqJjY9rWncYh8/UUy3gox4fr+J21rj4qCZ5gvOItF7oVKfjk/E4SQrSRvAp\nAc08W3u8vjNAmFoTBeUyEoKuHqCp48N5Gg3pM6htLXMrf2+q+wcv8IwtWAhopoG3\n8XpjAh4+/bff/gkfFoDdIFYwo3IJ5qlU9xawmbZzy3R+8eZTM2WFAkG75lWfX7id\nj87J32EiSe9etCyER9EtaKbxIKC/bww/JKcz3nIWweyXOAX4/tMDs8ThcsztBTa/\npseo4PI1AgMBAAECggEAEsdo+55OkV3lW4c4DV6vH9+TIlRK41DwIXqe/Fgt44Th\no0FFRjgbnFNC0Vfd1MV5No4TCP7EfpSpPkA1xGaZFizkfrymQMOiay/dHM+MpZMC\nRmNWQdfDMpW8pinurxFdjsb5bnKkEVc/L4JQ53gSP9jN2G1GDaTIqMIwgqzBEdER\nHpgrRv1l+MUrJRpyMyh5ZYApihEmFX4XDR2IYa3ZSMkBT4L6MdIcPURBrvVYdV+I\nXGvGWDhPvz/KcjfY7JD8JqVLqSIwgU851gewJJXKpekUS47aYo9Re91+0DB91ZnU\nWhmDmgorVCz90PM7WpKcW/0XkI45yPLWP3elBwsFKQKBgQD7XqKKGf0PChMNlWYV\n1SKEwiFzLipAHzEOJvhXD6v6vskbwqr/xS5j5SvWqpydow9pd2ExCcxmNtlwmpPX\nDXyRu8dmnaXUYCeYBFWheQ+NzlKd2N6wqE5aXrHdwW9xZRcHbyY+dKOv+gFAOQX+\nkakI4bvOcOernhnI6Fnhd94mCQKBgQDY7ukU6/6bVEahhdssakT+trcMOdhiHiPe\nGHaKYy1r3FpmdPmMLeJlECAOFfWqAB0DUiR9hGPXBSB2oIIICCQraQSFV1lu2R+k\nCaV7rFUrvx1b1yeOQDv34/MR6NdjbsjfhPmxSahWaBsvAyx88GRhh0ULgzesEqqk\nZ19PMV/VzQKBgQDrjkU2sR/pRgGQyx28+9u7GMiLzQkeyZwIrRAvVapN8Rc4gnYH\n9NmCFzG7mmnldvZsWMilUY9PgbrFwLUl46eGUbeMO9M4b1rrI7Sy+mVO97eH38Df\nPvkdyntXWXt7gcXQ26G1CUyTDe66JjWt1wXWIuMBk+AlfKShFsuTc+ajMQKBgFNB\nXbLp3409it3ywWsKXfBjr1zB1onRh3J1cQkrhwMeTpOD0UI7WefviF3fj6ju4jOk\nEt0ZMjgTf6IHd+AdP8RpSZLjMy+XpM0P5rLQMN/ZOStGJ6gwftNkaKU293Lx0aX3\nIt0np7OBwO0KCsjoeZ30jEse0P75KwRtp+Z8zIsBAoGAN47TexfJtaEK+ZQBoIn0\nh0mqV1si1QkPfMHSDvriKQ5d5tG8kF0vPVKAQV5kgytBeI+3bEO1iZC8i2FJzL7x\neN8ifRCcNXDRXjRdR0oPVIHImQ0XXwTB6JQmzVIFLWgxddDhZKpCQlA8GSRsbqEe\njtbTjDN0f5sX9llpKxd9xXw=\n-----END PRIVATE KEY-----\n

Replace all \n from the private key with an actual new line. In private key syntax, \n denotes a new line. The can be done in most text editors.

For example, in Notepad++, perform a replace all where you replace \\n with \n.

Example converted key:

Copy

Save the converted private key in new file.
Download the following version of openSSL and extract it: openssl-1.0.2q-x64_86-win64.zip.
Go to the bin folder of openSSL, and run either of the following commands to convert the private key to RSA format:

openssl rsa -aes-256-cbc -in "File Saved in above step" -out "output file name and path"

For example, $ openssl rsa -aes-256-cbc -in ConvertedGSuitePK.txt -out rsa.pem

openssl rsa -aes-128-cbc -in "File Saved in above step" -out "output file name and path"

For example, $ openssl rsa -aes-128-cbc -in ConvertedGSuitePK.txt -out rsa.pem
Enter the PEM pass phrase.
Confirm the pass phrase.

Note
The above generated RSA format private key is used as a private key in the connector configuration page along with the pass phrase as the private key password.


	You are here: