Security → Client credentials for a Google APIs project
About a Google APIs project
A Google APIs project defines what type of services and applications you can access from Google applications and services. For example, a Google APIs project supports access to Google Sheets and Google Drive.
There are numerous Google APIs that allow third party applications such as Incorta to access files and folders in Google. To access the Google APIs, you must first create a Google APIs project using either a Google account or a G Suite account.
For your Google APIs project, you will need to create a client credential. A client credential is an OAuth 2.0 credential such as a client ID and a client secret. Only you and Google know these values. OAuth 2.0 is the industry-standard protocol for authorization flows for web applications, desktop applications, mobile phones, and living room devices.
Although it is possible to use a Google Account, you will need to create an External project that includes an OAuth consent screen. This requires an authorized top-level domain (mycompany.com) with a hosted website that includes an Application Homepage, Privacy Policy, and Terms of Service. Configuration also requires adding a scope for ./auth/drive.readonly
. As of 2020, Google classifies all Google Drive API scopes as Restricted Scopes for an external project. Google must approve an external project with OAuth consent with a restricted scope. Please review OAuth API verification FAQs for more information.
Create client credentials for a Google Drive and Google Sheets APIs project*
Incorta offers two Google connectors that require client credentials for a Google APIs project:
The Google Sheets connector requires access to Google Drive. For this reason, your Google APIs project needs to enable both the Google Drive API and Google Sheets API.
The Google APIs do not accept self-signed security certificates. You must use a valid certificate for a known public domain. You can generate a valid certificate for a public domain for free from Let’s Encrypt, Certbot and OpenSSL. For more details, please review Security → HTTPS for Apache Tomcat with OpenSSL.
Because Google makes regular changes to the Google Developer Console, the steps below are subject to revision, and serve only as a general guide.
Here are the steps to create client credentials for a Google APIs project:
- Sign in to the Developer Console for Google APIs.
- Create a New Project.
- In New Project, specify the Project name, Organization, and Location.
- Select Create.
- In Google APIs, in the header, select the new project in the Project dropdown list.
- Select + Enable APIs and Services.
- In the API Library, in G Suite, select Google Drive API.
- In Google Drive API, select Enable.
- Go back to the API Library, and in G Suite, select Google Sheets API.
- In Google Sheets API, select Enable.
- In Google APIs, in the side bar, select Credentials.
- In Credentials, select Create Credentials --> OAuth client ID.
- Select Configure Consent screen.
- Complete the Consent screen by defining the properties below:
Property | Description |
---|---|
Application type | Select Internal so that only users with a Google Account in your organization can grant access to the scopes requested by this app |
Application name | The name should accurately reflect your application and be consistent with the application name users see elsewhere. Be careful not to use a name that suggests your application is from Google or another company. |
Application logo | An image on the consent screen that will help users recognize your app |
Support email | This email address will be shown to users on the consent screen. You can use your email address or a Google Group email address that you manage. |
Scopes for Google APIs | Scopes allow your application to access your user's private data |
Authorized domains | To protect you and your users, Google only allows applications that authenticate using OAuth to use Authorized Domains. Your application's (or applications') links must be hosted on Authorized Domains. |
Application Homepage link | Shown on the consent screen. Must be hosted on an Authorized Domain. |
Application Privacy Policy link | Shown on the consent screen. Must be hosted on an Authorized Domain. |
Application Terms of Service link | Shown on the consent screen. Must be hosted on an Authorized Domain. |
- Make sure that this project is internal and select Save.
- Select Create Credentials.
- Select the OAuth client ID option.
- In Application type, select Web application.
- In Name, enter the name of the OAuth 2.0 client.
- Under Authorized redirect URIs, select the + Add URI button.
- In Authorized JavaScript origins, in URIs, enter the following:
https://<INCORTA_ANALYTICS_HOST>:<INCORTA_HTTPS_PORT_DEFAULT_IS_8443>
- Select + Add URI.
- In Authorized redirect URIs, in URIs, enter the following:
https://<INCORTA_ANALYTICS_HOST>:<INCORTA_HTTPS_PORT_DEFAULT_IS_8443>/incorta/service/datasource/oauthRedirect
- Select + Add URI.
- Select Create
- In the OAuth client created dialog, copy Your Client ID and Your Client Secret.
- Select OK.
Examples of a Client Id and Client Secret
Example of Client ID:
156944882797-q0d9i1vsrvhkx1gbrlbegn4899neh7gh.apps.googleusercontent.com
Example of Client Secret:
qLUqMIoJAlnBKE9oKIcSEgRxTH2104C
Additional Considerations for Incorta Cloud
If you are using Incorta Cloud and are not using your organization’s domain, complete the Consent screen by defining the properties below:
Property | Description |
---|---|
Application Homepage link | https://cloud.incorta.com/api/gdrive |
Application Privacy Policy link | https://cloud.incorta.com/api/gdrive |
Application Terms of Service link | https://cloud.incorta.com/api/gdrive |