GGL – All Quickstarts | How To’s

Create Web application credentials (client-side JavaScript)

If you’re creating Web application credentials for a client-side JavaScript app, follow these steps :

1. Specify authorized JavaScript origins. Under Authorized JavaScript origins, click Add URI and type a URI in the URIs field for use with requests from a browser. The origins identify the domains from which your application can send API requests to the OAuth 2.0 server.
2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
3. Note the Client ID. Client secrets aren’t used for Web applications.
4. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”
5. (Optional). If you’re creating credentials as a prerequisite for a JavaScript quickstart, you must also generate an API key. To generate an API key:
   1. Click the Create Credentials drop-down list and select API Key. The “API Key created” page appears.
   2. Note the API key.
   3. Click Close. The newly created credential appears under “API Keys.”

Create Web application credentials (web server app)

If you’re creating Web application credentials for a web server app, follow these steps :

1. For web server applications using languages and frameworks like PHP, Java, Python, Ruby, and .NET, specify authorized redirect URIs:
   1. Under Authorized redirect URIs, click Add URI.
   2. Type a URI in the URIs field. The redirect URIs are the endpoints to which the OAuth 2.0 server can send responses.
2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
3. Click the download button to the right of the newly-created OAuth 2.0 Client ID. This copies a client secret JSON file to your desktop. Note the location of this file.

Create Desktop application credentials

If you’re creating Desktop application credentials:

1. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
2. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”
3. Click the download button to the right of the newly-created OAuth 2.0 Client ID. This copies a client secret JSON file to your desktop. Note the location of this file.
4. (Optional) If you are creating credentials for a quickstart, rename the client secret JSON file to “credentials.json”.

Create Chrome application credentials

If you’re creating Chrome application credentials:

1. In the Application ID field, enter the last part of your app’s Chrome Web Store URL.
2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
3. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”

Create Android application credentials

If you’re creating Android application credentials:

1. In the package name field, enter the package name from your AndroidManifest.xml file.
2. In the SHA-1 certificate fingerprint field, enter the SHA-1 certificate fingerprint.
3. Click Create. The OAuth client created screen appears. This screen shows the Client ID.
4. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”

Create iOS application credentials

If you’re creating iOS application credentials:

1. In the Bundle ID field, enter the bundle identifier as listed in the app’s Info.plist file.
2. If your app appears in the Apple app store, enter the App Store ID.
3. In the Team ID field, enter your Team ID.
4. Click Create. The OAuth client created screen appears. This screen shows the Client ID.
5. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”

Create TVs and limited input device credentials

If you’re creating Chrome application credentials:

1. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
2. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”

Create Universal Windows Platform (UWP) credentials

If you’re Universal Windows Platform (UWP) creating Universal Windows Platform (UWP) credentials:

1. In the Store ID field, enter the last part of your app’s Microsoft Store URL.
2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
3. Click OK. The newly created credential appears under “OAuth 2.0 Client IDs.”

Create a service account with domain-wide delegation of authority

Creating a service account with domain-wide delegation of authority is a four-step process:

1. Create the service account.
2. Obtain service account credentials.
3. Enable domain-wide delegation for the service account.
4. Grant access to user data to the service account.

Create a service account:

1. Open the Google Cloud Console.
2. Next to Google Cloud Platform, click the Down arrow arrow_drop_down and select a project.
3. At the top-left corner, click Menu menu.
4. Click IAM & Admin > Service Accounts. The Service account page appears.
5. Click Create service account. The “Create service account page appears with the “Service account details section open.”
6. Fill in the service account details. By default, Google creates a unique service account ID. If you would like to change the ID, modify the ID in the service account ID field.
7. Click Create. The “Grant service account access to project” section appears. This section is used to grant your service account role(s) to perform tasks on resources held within your Google Cloud Console project, such as creating other service accounts.
8. (Optional) Identify roles for your service account. For further information, refer to Granting, changing, and revoking access to resources.
9. Click Continue. The “Grant users access to this service account” section appears. This section is used identify users or groups that can be impersonated by this user account.
10. (Optional) Identify users, groups, and admins who can have access to this service account. For further information, refer to Managing service account impersonation.
11. Click Done. Your list of service accounts appears.

Obtain service account credentials

You must obtain credentials in the form of a public/private key pair. These credentials are used by your code to authorize service account actions within your app. To obtain credentials for your service account:

1. Click on your newly-create service account.
2. Click Keys.
3. Click Add key > Create new key. The “Create private key” dialog appears.
4. Select JSON.
5. Click Create. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store your key securely, see Managing service account keys.
6. Click Close. The list of keys appears.

Enable domain-wide delegation for a service account

1. Click Details. The service account details appear.
2. Click Show domain-wide delegation.
3. Check Enable Google Workspace domain-wide delegation.
4. Note the client ID. The client ID is used in the next section.

Grant access to user data to a service account

To access user data on a Google Workspace domain, the service account that you created needs to be granted access to user data through an API. This process must be performed by a super administrator for the domain. To grant your service account access to user data:

1. Open the Admin Console.
2. Click Main menu menu> Security > API controls
3. Scroll down and click Manage Domain Wide Delegation.
4. Click Add new. The “Add a new client ID” dialog box appears.
5. In the “Client ID” field, enter the client ID obtained from the service account creation steps above.
6. In the “OAuth Scopes” field, enter a comma-delimited list of the scopes required by your application. This is the same set of scopes you defined when configuring the OAuth consent screen.
7. Click Authorize.

Your service account now has domain-wide access to your enabled Workspace API(s) for all the users of your domain.