Google Extended OAuth Service Account
  • 15 Jul 2022
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Google Extended OAuth Service Account

  • Dark
    Light

Create a Service Account and Key

  1. If not already selected, select your current project. If you have not created a project yet, please refer to the Configure 0Auth 2.0 G-Suite Adapter instructions.

  2. Click on the menu button at the top left of the page, select APIs & Services, and then select credentials.

  3. Click CREATE CREDENTIALS and select Service Account.

  4. Give the service account a name and account ID. Descriptions are optional.
    Create Service Account 1.jpg

  5. Click CREATE AND CONTINUE.

  6. Skip the Grant this service account access to project section.

  7. Skip the Grant users access to this service account section. By default, the user that creates the service account will be the only one with access to this service account.

  8. Click DONE.

  9. If not redirected, select the menu button in the top left of the page, select APIs & Services, and then select Credentials.

  10. Under the Service Accounts, click the pencil icon next to the service account that was created above.

  11. Scroll to the Keys section and click ADD Key, then select Create New Key.

  12. Select JSON in the popup window and click CREATE.
    Create Private Key.jpg

  13. Save the JSON file and store in a secure area.

Authorizing Service Account Key

  1. Log in to Google Admin Console as a User with the Super Admin role.
  2. Click on Security.
  3. Click on Access and Data Control > API Controls.
  4. Click on MANAGE DOMAIN WIDE DELEGATION.
  5. Click Add New.
  6. Open the JSON file that was downloaded when you created the Service Account Key. Copy the value of the client_id field (without the enclosing quotes) and paste the Client ID field into the browser.
  7. Enter the scopes you want to grant access to, separated by commas, in the OAuth scopes field and click Authorize.
    1. The typical scopes you will need will be: https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.datatransfer, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.userschema. A list of available scopes is available at: https://developers.google.com/identity/protocols/googlescopes
  8. Additional scopes may be added later by repeating the previous two steps.

Creating a GOOGLE_EXTENDED OAuth2 Credential in Connect

  1. Navigate to Connect > OAuth2 Credentials.
  2. Select the project you want the credential associated with or select an asterisk (*) to create a credential that may be used by all projects.
  3. Click the Add OAuth2 Credential button.
  4. Give the OAuth2 Credential a NAME (must be unique) and select GOOGLE_EXTENDED for the PROVIDER.
  5. Open the JSON file you received when you created the Service Account Key and copy and paste the contents into the GOOGLE SERVICE ACCOUNT JSON field.
  6. Click Save.
    Google Account Extended JSON.jpg

Creating a G-Suite Connection using GOOGLE_EXTENDED OAuth2 Credential

  1. Insert the defineGoogleExtendedOAuthConnection() action.
  2. Enter the domain.
  3. Select the desired credential in the CREDENTIALNAME dropdown menu.
  4. Enter the Google User ID of the account you wish to use in the impersonateUserId field. THIS IS REQUIRED.
  5. Enter an array of scopes to authorize for the connection. The set of scopes must be a subset of those that were authorized for use by the Service Account Key for the domain (typically you will use the same scopes as previously configured).
    MyScopes.png

Was this article helpful?