This page describes how to create an OAuth client when using the customized OAuth configuration to enable IAP with Google identities.
Create an OAuth client
You can create a maximum of 36 OAuth clients for each project with the Google Cloud console. You can create a maximum of 500 OAuth clients for each project with the Google Cloud CLI.
Console
Complete the following steps to create an OAuth client by using the Google Cloud console.
Configure the OAuth consent screen by following the instructions in Setting up your OAuth consent screen.
Create an OAuth client by following the instructions in Setting up OAuth 2.0.
gcloud
Known limitations
Following are limitations for OAuth clients created programmatically using the API:
- OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client using the Google Cloud console if it was created by using the API.
- The OAuth clients created by the API are locked for IAP usage only, and therefore the API does not allow any updates to the redirect URI or other attributes.
- The API does not operate on the OAuth clients that were created using the Google Cloud console.
- Only 500 OAuth clients are allowed per project when using the API.
- API-created OAuth consent screen brands have specific limitations. See the section for more information.
Understanding brands and branding state
The OAuth consent screen, which contains branding information for users, is known as a brand. Brands can be limited to internal users or public users. An internal brand makes the OAuth flow accessible to someone who belongs to the same Google Workspace organization as the project. A public brand makes the OAuth flow available to anyone on the internet.
Brands can be created manually or programmatically by using an API. Brands created using an API are automatically configured with the following settings:
Internal. You must manually set to public.
Unreviewed. You must trigger a brand review.
To set an internal brand to public:
- Open the OAuth consent screen.
- Select a project from the drop-down menu.
- On the OAuth consent screen page, note that the User Type is automatically set to Internal. To set it to Public, click Edit App. More configuration options become available.
- Under Application type, click Public.
To trigger a brand review for an unreviewed API-created brand:
- Open the OAuth consent screen.
- Select your desired project from the drop-down menu.
- On the OAuth consent screen page, enter any required information, and then click Submit for verification.
The verification process may take up to several weeks, and you will receive email updates as it progresses. Learn more about verification. While the verification process is ongoing, you can still use the application within your Google Workspace organization. Learn more about how your application will behave before it's verified.
Required permissions
Before creating the client, ensure that the caller has been granted the following permissions:
clientauthconfig.brands.list
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.clients.create
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.delete
clientauthconfig.clients.update
These permissions are included in the Editor (roles/editor
) and Owner
(roles/owner
) basic roles,
however we recommend that you create a
custom role that contains these
permissions and grant it to the caller instead.
Set up OAuth for IAP
The following steps describe how to configure the consent screen and create and oauth client for IAP.
Configuring consent screen
Check if you already have an existing brand by using the list command. You may only have one brand per project.
gcloud iap oauth-brands list
The following is an example gcloud response, if the brand exists:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID] applicationTitle: [APPLICATION_TITLE] supportEmail: [SUPPORT_EMAIL] orgInternalOnly: true
If no brand exists, use the create command:
gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
The above fields are required when calling this API:
supportEmail
: The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.applicationTitle
: The application name displayed on OAuth consent screen.
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID] applicationTitle: [APPLICATION_TITLE] supportEmail: [SUPPORT_EMAIL] orgInternalOnly: true
Creating an IAP OAuth Client
Use the create command to create a client. Use the brand
name
from previous step.gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID] secret: [CLIENT_SECRET] displayName: [NAME]