Generating OAuth 2.0 Credentials

The following procedures outline how to generate the necessary OAuth 2.0 credentials:

Client Credentials

This section describes the procedures for generating the Client ID, Client Secret, and Refresh Token.

Note
When generating the credentials (client and service account), complete the procedures by using a Google Workspace User who has permission to generate refresh tokens and has the required Roles/IAM Roles to manage Google Workspace and CGP data as mentioned in the Prerequisites, Required Roles for Google Workspace and GCP Management section.

  1. Go to the Google Cloud Platform > APIs & Services > Credentials.

  2. From the project dropdown list, select an existing project or create a new one.

  3. On the Credentials page, select Create Credentials >OAuth Client ID.

  4. If prompted with a Consent page, select the application type as Internal, enter the application name and save it.

  5. Under Application type, select Web application.

  6. Enter an Application Name.

  7. Under Authorized redirect URLs, add the following:

    Copy 
    https://developers.google.com/oauthplayground

  8. Select Create.

    Note the Client ID and Client Secret displayed, as these are required for generating the refresh token.

Note
Before proceeding, ensure you have generated the Client ID and Client Secret.

  1. Go to the OAuth2 Playground.

  2. Select the gear icon in the upper right corner and select the Use your own OAuth credentials checkbox (if it is not already selected).

    1. Confirm that OAuth Flow is set to Server-side and Access type is set to Offline. This ensures that you get a refresh token and an access token.

    2. Enter the OAuth2 client ID and OAuth2 client secret you obtained in the Generate Client ID and Client Secret step.

  3. In the section labeled Step 1 - Select & authorize APIs, enter the required scopes in the text box at the bottom. Use a comma (,) as a separator to add more than one scope.

    Scope

    Purpose

    https://www.googleapis.com/auth/admin.directory.user

    User Provisioning

    https://www.googleapis.com/auth/apps.groups.settings

    Group Settings API

    https://www.googleapis.com/auth/admin.directory.rolemanagement

    For all roles management operations, including creating roles and role assignments

    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    For getting and listing roles, privileges, and role assignments

    https://www.googleapis.com/auth/cloud-platform

    https://www.googleapis.com/auth/iam

    To Access GCP related data

    https://www.googleapis.com/auth/admin.directory.domain

    To manage domain as Account type in GCP

  4. Upon prompt, log in to the account that you want to grant access to and authorize. Select Allow to continue.

    Note

    In case of following error, select the Back button to return to the previous configuration step and try selecting Authorize APIs again:

    redirect_uri_mismatch, it's possible the changes you made haven't yet propagated

  5. In the Step 2 - Exchange authorization code for tokens tab, the Authorization code is displayed.

  6. Select Exchange authorization code for tokens.

  7. The Refresh token and Access token fields are displayed. Copy the Refresh Token into the configuration file for the client library along with the Client ID and Client Secret.

Service Account

A Service Account is an account that belongs to the application. Create a service account for the project in the API Console and delegate domain-wide access to the service account. Now add the required scopes in admin console against the service account Client ID.

  1. Sign in to Google Cloud Platform Console using a user who has the required permissions to generate the private key and to manage Google Workspace/ GCP data.

  2. In the Google Cloud Platform console, go to Service Accounts.

  3. Select an existing project or create a new one. For example, Project-Service Account.

  4. Select CREATE SERVICE ACCOUNT and add a Name and Description for the service account.

  5. Select DONE.

  6. In the Filter table, select the email address of the newly created service account.

  7. To generate the private key go to the KEYS tab, select ADD KEY > Create new key, and then select the key type as JSON.

  8. Select CREATE.

  9. The private key is downloaded to the computer in the JSON format.

  10. Select CLOSE.

  1. Sign in to your Google Admin Console as a Super Admin User.

  2. From the Admin console Home page, go to Menu > Security > API controls.

  3. Select MANAGE DOMAIN WIDE DELEGATION.

  4. Select Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account (For example, "client_id":"102996919678308170059") or in the Google Cloud Console (go to IAM & Admin > Service accounts > your service account).

  5. In OAuth Scopes, enter the scopes as required. Use a comma (,) as a separator to add more than one scope.

    Scope

    Purpose

    https://www.googleapis.com/auth/admin.directory.group

    Group Provisioning

    https://www.googleapis.com/auth/admin.directory.user

    User Provisioning

    https://www.googleapis.com/auth/apps.groups.settings

    Group Settings API

    https://www.googleapis.com/auth/admin.directory.rolemanagement

    For all roles management operations, including creating roles and role assignments

    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    For getting and listing roles, privileges, and role assignments

    https://www.googleapis.com/auth/gmail.settings.sharing

    For Gmail API - Provisioning

    https://www.googleapis.com/auth/cloud-platform

    https://www.googleapis.com/auth/iam

    For Gmail API - To Access GCP related data

    https://www.googleapis.com/auth/gmail.settings.basic

    https://mail.google.com/

    https://www.googleapis.com/auth/gmail.modify

    https://www.googleapis.com/auth/gmail.readonly

    For Gmail API - Aggregation

    https://www.googleapis.com/auth/admin.directory.domain

    For Gmail API - To manage domain as account type in GCP

  6. Select Authorize.

    Note
    If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

  7. Select the new Client ID, select View details, and make sure every scope is listed.

  8. If a scope is not listed, select Edit, enter the missing scope, and select Authorize. You can't edit the client ID.

  9. The app should be available for use within minutes, but can take up to 24 hours.

  1. Open the JSON file (downloaded in the Create Service Account and generate private key procedure) for the service account and copy the private key value into the new file.

    For example,

    Copy 
    -----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAm/9T1/yBO2Z\nCCUn9xJbaoFloMUQcQyc7Xd2snXeKSWXGNMmHFPOMTXT4KNCMsxfGPXeHixYcgpu\nPGok/bqJjY9rWncYh8/UUy3gox4fr+J21rj4qCZ5gvOItF7oVKfjk/E4SQrSRvAp\nAc08W3u8vjNAmFoTBeUyEoKuHqCp48N5Gg3pM6htLXMrf2+q+wcv8IwtWAhopoG3\n8XpjAh4+/bff/gkfFoDdIFYwo3IJ5qlU9xawmbZzy3R+8eZTM2WFAkG75lWfX7id\nj87J32EiSe9etCyER9EtaKbxIKC/bww/JKcz3nIWweyXOAX4/tMDs8ThcsztBTa/\npseo4PI1AgMBAAECggEAEsdo+55OkV3lW4c4DV6vH9+TIlRK41DwIXqe/Fgt44Th\no0FFRjgbnFNC0Vfd1MV5No4TCP7EfpSpPkA1xGaZFizkfrymQMOiay/dHM+MpZMC\nRmNWQdfDMpW8pinurxFdjsb5bnKkEVc/L4JQ53gSP9jN2G1GDaTIqMIwgqzBEdER\nHpgrRv1l+MUrJRpyMyh5ZYApihEmFX4XDR2IYa3ZSMkBT4L6MdIcPURBrvVYdV+I\nXGvGWDhPvz/KcjfY7JD8JqVLqSIwgU851gewJJXKpekUS47aYo9Re91+0DB91ZnU\nWhmDmgorVCz90PM7WpKcW/0XkI45yPLWP3elBwsFKQKBgQD7XqKKGf0PChMNlWYV\n1SKEwiFzLipAHzEOJvhXD6v6vskbwqr/xS5j5SvWqpydow9pd2ExCcxmNtlwmpPX\nDXyRu8dmnaXUYCeYBFWheQ+NzlKd2N6wqE5aXrHdwW9xZRcHbyY+dKOv+gFAOQX+\nkakI4bvOcOernhnI6Fnhd94mCQKBgQDY7ukU6/6bVEahhdssakT+trcMOdhiHiPe\nGHaKYy1r3FpmdPmMLeJlECAOFfWqAB0DUiR9hGPXBSB2oIIICCQraQSFV1lu2R+k\nCaV7rFUrvx1b1yeOQDv34/MR6NdjbsjfhPmxSahWaBsvAyx88GRhh0ULgzesEqqk\nZ19PMV/VzQKBgQDrjkU2sR/pRgGQyx28+9u7GMiLzQkeyZwIrRAvVapN8Rc4gnYH\n9NmCFzG7mmnldvZsWMilUY9PgbrFwLUl46eGUbeMO9M4b1rrI7Sy+mVO97eH38Df\nPvkdyntXWXt7gcXQ26G1CUyTDe66JjWt1wXWIuMBk+AlfKShFsuTc+ajMQKBgFNB\nXbLp3409it3ywWsKXfBjr1zB1onRh3J1cQkrhwMeTpOD0UI7WefviF3fj6ju4jOk\nEt0ZMjgTf6IHd+AdP8RpSZLjMy+XpM0P5rLQMN/ZOStGJ6gwftNkaKU293Lx0aX3\nIt0np7OBwO0KCsjoeZ30jEse0P75KwRtp+Z8zIsBAoGAN47TexfJtaEK+ZQBoIn0\nh0mqV1si1QkPfMHSDvriKQ5d5tG8kF0vPVKAQV5kgytBeI+3bEO1iZC8i2FJzL7x\neN8ifRCcNXDRXjRdR0oPVIHImQ0XXwTB6JQmzVIFLWgxddDhZKpCQlA8GSRsbqEe\njtbTjDN0f5sX9llpKxd9xXw=\n-----END PRIVATE KEY-----\n

  2. Replace all \n from the private key with an actual new line. In private key syntax, \n denotes a new line. The can be done in most text editors.

    • For example, in Notepad++, perform a replace all where you replace \\n with \n.

    • Example converted key:

      Copy 
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAm/9T1/yBO2ZCCUn9xJbaoFloMUQcQyc7Xd2snXeKSWXGNMmHFPOMTXT4KNCMsxfGPXeHixYcgpuPGok/bqJjY9rWncYh8/UUy3gox4fr+J21rj4qCZ5gvOItF7oVKfjk/E4SQrSRvApAc08W3u8vjNAmFoTBeUyEoKuHqCp48N5Gg3pM6htLXMrf2+q+wcv8IwtWAhopoG38XpjAh4+/bff/gkfFoDdIFYwo3IJ5qlU9xawmbZzy3R+8eZTM2WFAkG75lWfX7idj87J32EiSe9etCyER9EtaKbxIKC/bww/JKcz3nIWweyXOAX4/tMDs8ThcsztBTa/pseo4PI1AgMBAAECggEAEsdo+55OkV3lW4c4DV6vH9+TIlRK41DwIXqe/Fgt44Tho0FFRjgbnFNC0Vfd1MV5No4TCP7EfpSpPkA1xGaZFizkfrymQMOiay/dHM+MpZMCRmNWQdfDMpW8pinurxFdjsb5bnKkEVc/L4JQ53gSP9jN2G1GDaTIqMIwgqzBEdERHpgrRv1l+MUrJRpyMyh5ZYApihEmFX4XDR2IYa3ZSMkBT4L6MdIcPURBrvVYdV+IXGvGWDhPvz/KcjfY7JD8JqVLqSIwgU851gewJJXKpekUS47aYo9Re91+0DB91ZnUWhmDmgorVCz90PM7WpKcW/0XkI45yPLWP3elBwsFKQKBgQD7XqKKGf0PChMNlWYV1SKEwiFzLipAHzEOJvhXD6v6vskbwqr/xS5j5SvWqpydow9pd2ExCcxmNtlwmpPXDXyRu8dmnaXUYCeYBFWheQ+NzlKd2N6wqE5aXrHdwW9xZRcHbyY+dKOv+gFAOQX+kakI4bvOcOernhnI6Fnhd94mCQKBgQDY7ukU6/6bVEahhdssakT+trcMOdhiHiPeGHaKYy1r3FpmdPmMLeJlECAOFfWqAB0DUiR9hGPXBSB2oIIICCQraQSFV1lu2R+kCaV7rFUrvx1b1yeOQDv34/MR6NdjbsjfhPmxSahWaBsvAyx88GRhh0ULgzesEqqkZ19PMV/VzQKBgQDrjkU2sR/pRgGQyx28+9u7GMiLzQkeyZwIrRAvVapN8Rc4gnYH9NmCFzG7mmnldvZsWMilUY9PgbrFwLUl46eGUbeMO9M4b1rrI7Sy+mVO97eH38DfPvkdyntXWXt7gcXQ26G1CUyTDe66JjWt1wXWIuMBk+AlfKShFsuTc+ajMQKBgFNB

      XbLp3409it3ywWsKXfBjr1zB1onRh3J1cQkrhwMeTpOD0UI7WefviF3fj6ju4jOkEt0ZMjgTf6IHd+AdP8RpSZLjMy+XpM0P5rLQMN/ZOStGJ6gwftNkaKU293Lx0aX3It0np7OBwO0KCsjoeZ30jEse0P75KwRtp+Z8zIsBAoGAN47TexfJtaEK+ZQBoIn0h0mqV1si1QkPfMHSDvriKQ5d5tG8kF0vPVKAQV5kgytBeI+3bEO1iZC8i2FJzL7xeN8ifRCcNXDRXjRdR0oPVIHImQ0XXwTB6JQmzVIFLWgxddDhZKpCQlA8GSRsbqEejtbTjDN0f5sX9llpKxd9xXw=

      -----END PRIVATE KEY-----

  3. Save the converted private key in new file.

  4. Download and extract the latest version of openSSL.

  5. Go to the bin folder of openSSL, and run either of the following commands to convert the private key to RSA format:

    openssl rsa -aes-256-cbc -in "File Saved in above step" -out "output file name and path" -traditional

    For example, $ openssl rsa -aes-256-cbc -in ConvertedGSuitePK.txt -out rsa.pem -traditional

    OR

    openssl rsa -aes-128-cbc -in "File Saved in above step" -out "output file name and path" -traditional

    For example, $ openssl rsa -aes-128-cbc -in ConvertedGSuitePK.txt -out rsa.pem -traditional

  6. Enter the PEM pass phrase.

  7. Confirm the pass phrase.

    8. Note
    The above generated RSA format private key is used as a private key in the connector configuration page along with the pass phrase as the private key password.