This page describes how to programmatically create OAuth clients for use with IAP, enabling you to set up IAP programmatically end-to-end for internal applications.
Known limitations
There are a few known limitations for programmatically-created OAuth clients:
- OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client via the Cloud console if you create it by using the API.
- Only 500 OAuth clients are allowed per project when using the API.
- API-created OAuth consent screen brands have specific limitations. See the section below for more information.
Understanding brands and branding state
The OAuth consent screen, which contains branding information for users, is known as a brand. Brands can be limited to internal users or public users. An internal brand makes the OAuth flow accessible to someone who belongs to the same Google Workspace organization as the project. A public brand makes the OAuth flow available to anyone on the internet.
Brands can be created manually or programmatically via an API. API-created brands are automatically configured with different settings:
- They're set to internal and must be manually set to public if desired
- They're set to an "unreviewed" state and a brand review must be triggered
To manually set an internal brand to public:
- Open the OAuth consent screen.
- Select your desired project from the drop-down menu.
- On the OAuth consent screen page, note that the User Type is automatically set to Internal. To set it to Public, click Edit App. More configuration options become available.
- Under Application type, click Public.
To trigger a brand review for an unreviewed API-created brand:
- Open the OAuth consent screen.
- Select your desired project from the drop-down menu.
- On the OAuth consent screen page, enter any required information, and then click Submit for verification.
The verification process may take up to several weeks, and you will receive email updates as it progresses. Learn more about verification. While the verification process is ongoing, you can still use the application within your Google Workspace organization. Learn more about how your application will behave before it's verified.
Before you begin
Before you can create a client, first ensure that the caller has been granted the following permissions:
clientauthconfig.brands.list
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.clients.create
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.delete
clientauthconfig.clients.update
These permissions are included in the Editor (roles/editor
) and Owner
(roles/owner
) basic roles,
however we recommend that you create a
custom role that contains these
permissions and grant it to the caller instead.
Set up OAuth for IAP
The following steps describe how to configure the consent screen and create and oauth client for IAP.
Configuring consent screen
Check if you already have an existing brand by using the list command. You may only have one brand per project.
gcloud alpha iap oauth-brands list
The following is an example gcloud response, if the brand exists:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID] applicationTitle: [APPLICATION_TITLE] supportEmail: [SUPPORT_EMAIL] orgInternalOnly: true
If no brand exists, use the create command:
gcloud alpha iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
The above fields are required when calling this API:
supportEmail
: The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.applicationTitle
: The application name displayed on OAuth consent screen.
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID] applicationTitle: [APPLICATION_TITLE] supportEmail: [SUPPORT_EMAIL] orgInternalOnly: true
Creating an IAP OAuth Client
Use the create command to create a client. Use the brand
name
from previous step.gcloud alpha iap oauth-clients create projects/PROJECT_ID/brands/BRAND-ID --display_name=NAME
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID] secret: [CLIENT_SECRET] displayName: [NAME]
Use the client ID (
client_id
in the above example) andsecret
to enable IAP. See the following topics for more information about enabling IAP using the credentials you've just created:
Authenticating
Once IAP is configured for an app, all requests need to be authenticated. The following steps describe how to access an IAP-protected application programmatically.
End user authentication
After you've followed the steps above, refer to the this topic for more information about how to authenticate using OAuth 2.0. Ensure that you request a refresh token to allow for automation. Manual consent during the OAuth flow is required, however the refresh token can be used to programmatically obtain fresh access tokens.
Service accounts and gcloud
To authenticate using a service account and gcloud:
- Create a service account, and grant it the required permissions.
- Create a service account key, downloading it to the desired path.
Execute the following gcloud command, specifying the path to the service account key:
gcloud auth activate-service-account [ACCOUNT-NAME] --key-file=/path/to/service-key.json --project=[PROJECT_ID]
Make API requests using
gcloud auth print-access-token
:curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://iap.googleapis.com/v1/projects/[PROJECT_ID_OR_NUMBER]/brands