Creating a Google Extended OAuth2 Service Account in RapidIdentity
  • 27 Sep 2022
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Creating a Google Extended OAuth2 Service Account in RapidIdentity

  • Dark
    Light

Create a Service Account and Key

  1. Select a created project on your instance of console.cloud.google.com.

  2. Click on the menu button at the top left of the page, select APIs and Services, and select Credentials.

  3. Click Create Credentials and select Service account.

  4. Give the service account a name and an account ID. Descriptions are optional.
    4a.jpg

  5. Click Create and Continue.

  6. Skip the Grant this service account access to project section.

  7. Skip the Grant users access to this service account section. By default, the user that creates the service account will be the only one who has access to this service account.

  8. Click Done.

  9. If not redirected, select the menu button in the top left of the page, select APIs & Services, and then select Credentials.

  10. Under Service Accounts, click the pencil icon next to the service account that was created above.

  11. Scroll to the Keys section and click Add Key, then select Create New Key.

  12. Select JSON in the popup window, and click Create.
    12a.jpg

  13. Save the JSON file and store it in a secure area.

Authorizing the Service Account Key

  1. Log in to Google Admin Console as a User with the Super Admin role.
  2. Click Security.
  3. Click Access and navigate to Data Control > API controls.
  4. Click Manage Domain Wide Delegation.
  5. Click Add New.
  6. Open the JSON file that was downloaded when you created the Service Account Key. Copy the value of the client_id field (without the quotes) and paste into the Client ID field in the browser.
  7. Enter the scopes you want to grant access to, separated by commas, in the OAuth scopes field and click Authorize. The typical scopes you will need will be:
    a. https://www.googleapis.com/auth/admin.directory.user.readonly
    b. https://www.googleapis.com/auth/admin.directory.user
    c. https://www.googleapis.com/auth/admin.directory.orgunit
    d. https://www.googleapis.com/auth/admin.directory.userschema
    e. A list of available scopes is available at https://developers.google.com/identity/protocols/googlescopes.
  8. Additional scopes may be added later by repeating the previous two steps.

Creating a Google_Extended OAuth2 Credential in Connect

  1. Navigate to RapidIdentity Connect > OAuth2 Credentials.
  2. Select the project you want the credential associated with or select * to create a credential that may be used by all projects.
  3. Click Add OAuth2 Credential.
  4. Give the OAuth2 Credential a name (must be unique) and select Google_Extended for the Provider.
  5. Open the JSON file you received when you created the service Account Key and copy and paste the contents into the Google Service Account JSON field.
  6. Click Save.
    6a.jpg

Creating a G-Suite Connection using Google_Extended OAuth2 Credentials

  1. Insert the deefineGoogleExtendedOAuthConnection() action.
  2. Enter the domain.
  3. Select the desired credential in the CREDENTIALNAME dropdown menu.
  4. Enter the Google User ID of the account you wish to use in the impersonateUserId field. Note: This is Required.
  5. Enter an array of scopes to authorize for the connection. The set of scopes must be a subset of those that were authorized for use by the Service Account Key for the domain (typically, you will use the same scopes as previously configured).
    5a.jpg

Was this article helpful?