Generating OAuth 2.0 Authentication Credentials

The Google Workspace connector uses the OAuth 2.0 protocol for authentication and authorization of the Google Workspace APIs. It supports the following OAuth 2.0 scenarios:

  • Client Credentials (OAuth 2.0 for Web Server Applications)

  • Service Account (OAuth 2.0 for Server to Server Applications)

Client Credentials

This section describes the procedures for generating the Client ID, Client Secret, and Refresh Token.

Note
When generating the credentials (client and service account), complete the procedures by using a Google Workspace User who has permission to generate refresh tokens and has the required Roles/IAM Roles to manage Google Workspace and CGP data as mentioned in the Prerequisites, Required Roles for Google Workspace and GCP Management section.

  1. Go to the Google Cloud Platform > APIs & Services > Credentials page: Google Cloud Platform.

  2. From the project dropdown list, select an existing project or create a new one.

  3. On the Credentials page, select Create Credentials >OAuth Client ID.

  4. If the Consent page is displayed, select the application type as Internal and enter the application name and save it.

  5. Under Application type, select Web application.

  6. Enter the Application Name.

  7. Under Authorized redirect URLs, add a line with the following:

    Copy 
    https://developers.google.com/oauthplayground

  8. Select Create.

  9. On the page that displays, take note of the Client ID and Client Secret. These are required to generate the refresh token.

Note
You must generate the Client ID and Client Secret before generating the refresh token.

  1. Go to the OAuth2 Playground.

  2. Select the gear icon in the upper right corner and select the Use your own OAuth credentials checkbox (if it is not already selected).

    1. Ensure that OAuth Flow is set to Server-side and Access type is set to Offline. This ensures that you get a refresh token and an access token.

    2. Enter the OAuth2 client ID and OAuth2 client secret you obtained from the Client ID and Client Secret procedure.

  3. In the section labeled Step 1 - Select & authorize APIs, enter the scopes as required in the text box at the bottom. To add more than one scope, use a comma (,) as a separator.

  4. Scope

    Purpose

    https://www.googleapis.com/auth/admin.directory.group

    Group Provisioning

    https://www.googleapis.com/auth/admin.directory.user

    User Provisioning

    https://www.googleapis.com/auth/apps.groups.settings

    Group Settings API

    https://www.googleapis.com/auth/admin.reports.audit.readonly

    For Account and Group Delta Aggregation

    https://www.googleapis.com/auth/admin.datatransfer

    For Data transfer before deletion of Account

    https://www.googleapis.com/auth/admin.directory.rolemanagement

    For all roles management operations, including creating roles and role assignments

    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    For getting and listing roles, privileges, and role assignments

    https://www.googleapis.com/auth/cloud-platform

    https://www.googleapis.com/auth/iam

    To Access GCP related data

    https://www.googleapis.com/auth/admin.directory.domain

    To manage domain as Account type in GCP

  5. On prompt, log in to the account that you want to grant access to and authorize.

    Note

    If the following error message is displayed, select the back button and try selecting Authorize APIs again:

    redirect_uri_mismatch, it's possible the changes you made haven't yet propagated

  6. Select Allow to continue. In the Step 2 - Exchange authorization code for tokens tab, the Authorization code is displayed.

  7. Select Exchange authorization code for tokens.

  8. The Refresh token and Access token fields are displayed. Copy the Refresh Token into the configuration file for the client library along with the Client ID and Client Secret.

Service Account

A service account is an account that belongs to the application. Create a service account for the project in the API console and delegate domain-wide access to the service account. Now add the required scopes in admin console against the service account Client ID.

  1. Log in to Google Cloud Platform console using a user who has the required permissions to generate the private key and to manage Google Workpace/GCP data.

  2. In the Google Cloud Platform console, go to Service Accounts.

  3. Select an existing project or create a new one. For example, Project-Service Account.

  4. Select CREATE SERVICE ACCOUNT and add a Name and Description for the service account.

  5. Select DONE.

  6. In the Filter table, select the email address of the newly created service account.

  7. Expand MANAGE DOMAIN WIDE DELEGATION.

  8. To generate the private key go to the KEYS tab, select ADD KEY > Create new key, and then select the key type as JSON.

  9. Select CREATE.

  10. The private key is downloaded to the computer in the JSON format.

  11. Select CLOSE.

  1. Sign in to your Google Admin console as a Super Admin User.

  2. From the Admin console Home page, go to Menu > Security > API controls.

  3. Select MANAGE DOMAIN WIDE DELEGATION.

  4. Select Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account (For example: "client_id":"102996919678308170059") or in the Google Cloud Console (go to IAM & Admin > Service accounts > your service account).

  5. In OAuth Scopes, enter the scopes as required. To add more than one scope, use a comma (,) as a separator.

    Scope

    Purpose

    https://www.googleapis.com/auth/admin.directory.group

    Group Provisioning

    https://www.googleapis.com/auth/admin.directory.user

    User Provisioning

    https://www.googleapis.com/auth/apps.groups.settings

    Group Settings API

    https://www.googleapis.com/auth/admin.reports.audit.readonly

    For Account and Group Delta Aggregation

    https://www.googleapis.com/auth/admin.datatransfer

    For Data transfer before deletion of Account

    https://www.googleapis.com/auth/admin.directory.rolemanagement

    For all roles management operations, including creating roles and role assignments

    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    For getting and listing roles, privileges, and role assignments

    https://www.googleapis.com/auth/gmail.settings.sharing

    For Gmail API - Provisioning

    https://www.googleapis.com/auth/cloud-platform

    https://www.googleapis.com/auth/iam

    For Gmail API - To Access GCP related data

    https://www.googleapis.com/auth/gmail.settings.basic

    https://mail.google.com/

    https://www.googleapis.com/auth/gmail.modify

    https://www.googleapis.com/auth/gmail.readonly

    For Gmail API - Aggregation

    https://www.googleapis.com/auth/admin.directory.domain

    For Gmail API - To manage domain as account type in GCP

  6. Select Authorize.

    Note
    If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

  7. Select the new Client ID, select View details, and make sure every scope is listed.

  8. If a scope is not listed, select Edit, enter the missing scope, and select Authorize. You can't edit the client ID.

  9. The app should be available for use within minutes, but can take up to 24 hours.

  1. Open the JSON file (downloaded in the Create service account and generate private key procedure) for the service account and copy the private key value into the new file.

    For example:

    Copy 
    -----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAm/9T1/yBO2Z\nCCUn9xJbaoFloMUQcQyc7Xd2snXeKSWXGNMmHFPOMTXT4KNCMsxfGPXeHixYcgpu\nPGok/bqJjY9rWncYh8/UUy3gox4fr+J21rj4qCZ5gvOItF7oVKfjk/E4SQrSRvAp\nAc08W3u8vjNAmFoTBeUyEoKuHqCp48N5Gg3pM6htLXMrf2+q+wcv8IwtWAhopoG3\n8XpjAh4+/bff/gkfFoDdIFYwo3IJ5qlU9xawmbZzy3R+8eZTM2WFAkG75lWfX7id\nj87J32EiSe9etCyER9EtaKbxIKC/bww/JKcz3nIWweyXOAX4/tMDs8ThcsztBTa/\npseo4PI1AgMBAAECggEAEsdo+55OkV3lW4c4DV6vH9+TIlRK41DwIXqe/Fgt44Th\no0FFRjgbnFNC0Vfd1MV5No4TCP7EfpSpPkA1xGaZFizkfrymQMOiay/dHM+MpZMC\nRmNWQdfDMpW8pinurxFdjsb5bnKkEVc/L4JQ53gSP9jN2G1GDaTIqMIwgqzBEdER\nHpgrRv1l+MUrJRpyMyh5ZYApihEmFX4XDR2IYa3ZSMkBT4L6MdIcPURBrvVYdV+I\nXGvGWDhPvz/KcjfY7JD8JqVLqSIwgU851gewJJXKpekUS47aYo9Re91+0DB91ZnU\nWhmDmgorVCz90PM7WpKcW/0XkI45yPLWP3elBwsFKQKBgQD7XqKKGf0PChMNlWYV\n1SKEwiFzLipAHzEOJvhXD6v6vskbwqr/xS5j5SvWqpydow9pd2ExCcxmNtlwmpPX\nDXyRu8dmnaXUYCeYBFWheQ+NzlKd2N6wqE5aXrHdwW9xZRcHbyY+dKOv+gFAOQX+\nkakI4bvOcOernhnI6Fnhd94mCQKBgQDY7ukU6/6bVEahhdssakT+trcMOdhiHiPe\nGHaKYy1r3FpmdPmMLeJlECAOFfWqAB0DUiR9hGPXBSB2oIIICCQraQSFV1lu2R+k\nCaV7rFUrvx1b1yeOQDv34/MR6NdjbsjfhPmxSahWaBsvAyx88GRhh0ULgzesEqqk\nZ19PMV/VzQKBgQDrjkU2sR/pRgGQyx28+9u7GMiLzQkeyZwIrRAvVapN8Rc4gnYH\n9NmCFzG7mmnldvZsWMilUY9PgbrFwLUl46eGUbeMO9M4b1rrI7Sy+mVO97eH38Df\nPvkdyntXWXt7gcXQ26G1CUyTDe66JjWt1wXWIuMBk+AlfKShFsuTc+ajMQKBgFNB\nXbLp3409it3ywWsKXfBjr1zB1onRh3J1cQkrhwMeTpOD0UI7WefviF3fj6ju4jOk\nEt0ZMjgTf6IHd+AdP8RpSZLjMy+XpM0P5rLQMN/ZOStGJ6gwftNkaKU293Lx0aX3\nIt0np7OBwO0KCsjoeZ30jEse0P75KwRtp+Z8zIsBAoGAN47TexfJtaEK+ZQBoIn0\nh0mqV1si1QkPfMHSDvriKQ5d5tG8kF0vPVKAQV5kgytBeI+3bEO1iZC8i2FJzL7x\neN8ifRCcNXDRXjRdR0oPVIHImQ0XXwTB6JQmzVIFLWgxddDhZKpCQlA8GSRsbqEe\njtbTjDN0f5sX9llpKxd9xXw=\n-----END PRIVATE KEY-----\n

  2. Replace all \n from the private key with an actual new line. In private key syntax, \n denotes a new line. The can be done in most text editors.

    • For example, in Notepad++, perform a replace all where you replace \\n with \n.

    • Example converted key:

      Copy 
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAm/9T1/yBO2ZCCUn9xJbaoFloMUQcQyc7Xd2snXeKSWXGNMmHFPOMTXT4KNCMsxfGPXeHixYcgpuPGok/bqJjY9rWncYh8/UUy3gox4fr+J21rj4qCZ5gvOItF7oVKfjk/E4SQrSRvApAc08W3u8vjNAmFoTBeUyEoKuHqCp48N5Gg3pM6htLXMrf2+q+wcv8IwtWAhopoG38XpjAh4+/bff/gkfFoDdIFYwo3IJ5qlU9xawmbZzy3R+8eZTM2WFAkG75lWfX7idj87J32EiSe9etCyER9EtaKbxIKC/bww/JKcz3nIWweyXOAX4/tMDs8ThcsztBTa/pseo4PI1AgMBAAECggEAEsdo+55OkV3lW4c4DV6vH9+TIlRK41DwIXqe/Fgt44Tho0FFRjgbnFNC0Vfd1MV5No4TCP7EfpSpPkA1xGaZFizkfrymQMOiay/dHM+MpZMCRmNWQdfDMpW8pinurxFdjsb5bnKkEVc/L4JQ53gSP9jN2G1GDaTIqMIwgqzBEdERHpgrRv1l+MUrJRpyMyh5ZYApihEmFX4XDR2IYa3ZSMkBT4L6MdIcPURBrvVYdV+IXGvGWDhPvz/KcjfY7JD8JqVLqSIwgU851gewJJXKpekUS47aYo9Re91+0DB91ZnUWhmDmgorVCz90PM7WpKcW/0XkI45yPLWP3elBwsFKQKBgQD7XqKKGf0PChMNlWYV1SKEwiFzLipAHzEOJvhXD6v6vskbwqr/xS5j5SvWqpydow9pd2ExCcxmNtlwmpPXDXyRu8dmnaXUYCeYBFWheQ+NzlKd2N6wqE5aXrHdwW9xZRcHbyY+dKOv+gFAOQX+kakI4bvOcOernhnI6Fnhd94mCQKBgQDY7ukU6/6bVEahhdssakT+trcMOdhiHiPeGHaKYy1r3FpmdPmMLeJlECAOFfWqAB0DUiR9hGPXBSB2oIIICCQraQSFV1lu2R+kCaV7rFUrvx1b1yeOQDv34/MR6NdjbsjfhPmxSahWaBsvAyx88GRhh0ULgzesEqqkZ19PMV/VzQKBgQDrjkU2sR/pRgGQyx28+9u7GMiLzQkeyZwIrRAvVapN8Rc4gnYH9NmCFzG7mmnldvZsWMilUY9PgbrFwLUl46eGUbeMO9M4b1rrI7Sy+mVO97eH38DfPvkdyntXWXt7gcXQ26G1CUyTDe66JjWt1wXWIuMBk+AlfKShFsuTc+ajMQKBgFNB

      XbLp3409it3ywWsKXfBjr1zB1onRh3J1cQkrhwMeTpOD0UI7WefviF3fj6ju4jOkEt0ZMjgTf6IHd+AdP8RpSZLjMy+XpM0P5rLQMN/ZOStGJ6gwftNkaKU293Lx0aX3It0np7OBwO0KCsjoeZ30jEse0P75KwRtp+Z8zIsBAoGAN47TexfJtaEK+ZQBoIn0h0mqV1si1QkPfMHSDvriKQ5d5tG8kF0vPVKAQV5kgytBeI+3bEO1iZC8i2FJzL7xeN8ifRCcNXDRXjRdR0oPVIHImQ0XXwTB6JQmzVIFLWgxddDhZKpCQlA8GSRsbqEejtbTjDN0f5sX9llpKxd9xXw=

      -----END PRIVATE KEY-----

  3. Save the converted private key in new file.

  4. Download the following version of openSSL and extract it: openssl-1.0.2q-x64_86-win64.zip.

  5. Go to the bin folder of openSSL, and run either of the following commands to convert the private key to RSA format:

    openssl rsa -aes-256-cbc -in "File Saved in above step" -out "output file name and path" -traditional

    For example, $ openssl rsa -aes-256-cbc -in ConvertedGSuitePK.txt -out rsa.pem -traditional

    openssl rsa -aes-128-cbc -in "File Saved in above step" -out "output file name and path" -traditional

    For example, $ openssl rsa -aes-128-cbc -in ConvertedGSuitePK.txt -out rsa.pem -traditional

  6. Enter the PEM pass phrase.

  7. Confirm the pass phrase.

Note
The above generated RSA format private key is used as a private key in the connector configuration page along with the pass phrase as the private key password.

For more information about the above-listed prerequisites, refer to the following links: