This page provides an overview of OAuth application integration in Google Cloud.
You can use OAuth application integration to integrate your OAuth-based applications with Google Cloud. Federated users can use their identity provider (IdP) to sign in to the applications and access their Google Cloud products and data. OAuth application integration is a feature of Workforce Identity Federation.
To use OAuth application integration, you must first create a workforce identity pool and provider. You can then register the OAuth-based application using OAuth 2.0. Applications must be registered in the organization where your workforce identity pool and provider are configured.
OAuth application registration
To configure an application to access Google Cloud, you register the application with Google Cloud by creating OAuth client credentials. The credential contains a client secret. The application uses the access token to access the Google Cloud products and data.
OAuth client and credential security risks and mitigations
You must secure access to the IAM APIs and the client ID and secret. If the client ID and secret is leaked, security issues can result. These issues include the following:
Impersonation: A malicious user with your client ID and secret can create an application that masquerades as your legitimate application. They can then do the following:
- Gain unauthorized access to the user data and permissions that your application is entitled to.
- Perform actions on the user's behalf, such as posting content, making API calls, or modifying user settings.
- Perform phishing attacks, wherein the malicious user creates a fake login page that resembles the OAuth provider. The page can then trick users into entering their credentials, which gives the credentials to the malicious user who can then access their accounts.
Reputational damage: A security breach can harm the reputation of your application and organization, causing users to lose trust.
In the event of a breach, to mitigate these and other risks, assess the nature of the breach and do the following:
Ensure that only trusted users have IAM access to the OAuth client and credential API.
Rotate the client secret immediately, by rotating the client credential, as follows:
- Create a new client credential for the OAuth client.
- Disable the old client credential.
- Delete the old client credential.
What's next
- Learn how to Manage OAuth applications.