How to share OAuth clients

This page explains how to share an OAuth client with another app within your organization.


Sharing OAuth clients between projects removes the need to manually create a new OAuth client for every app under your organization. After manually creating one OAuth client, you can programmatically assign it to multiple apps.

OAuth client sharing is also used to share a default OAuth client with agents you want to be able to enable Identity-Aware Proxy (IAP) but not have access to the Credentials page.

Note that mobile apps can't authenticate with OAuth clients from a different project.

Before you begin

Follow one of the guides below to enable IAP for an app and create an OAuth client.

Note that client sharing with App Engine isn't currently supported.

Assigning a shared client to Compute Engine apps

  1. Go to the Instance groups page to make sure your instances are in an instance group.
  2. Define backend services.
  3. Set up load balancing.
  4. Using the gcloud command-line tool, run gcloud auth login.
  5. Follow the URL that appears to sign in.
  6. After you sign in, copy the verification code that appears and paste it in the command line.
  7. Run gcloud config set project PROJECT_ID for the project for which you want to enable IAP.
  8. To enable IAP, use your shared client's ID and secret from the Credentials page and run the following command:

    gcloud compute backend-services update BACKEND_SERVICE_NAME  \
       --global --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET

Assigning a shared client to GKE apps

Follow the steps to configure your app's BackendConfig file, instead using your shared client's ID and secret when running the following command:

kubectl create secret generic my-secret --from-literal=client_id=CLIENT_ID \


While sharing a client between your apps is convenient, there are risks. This section outlines potential risks when sharing clients and how to mitigate them.

Single point of failure

Using one OAuth client for many apps creates a single point of failure. If a client is deleted or modified incorrectly, every app that uses that client is impacted.

To mitigate this, only share clients when fulfilling an important use case for shared clients.

Client secret leaks

Sharing a client requires sharing your client secret with people and scripts. This increases the risk of your client secret leaking. IAP can't differentiate between tokens created from your app and tokens created from a leaked client secret.

Access to your IAP resources can be monitored with Cloud Audit Logging. If you believe there's a chance that your client secret leaked, reset it from the Credentials page.

To mitigate this risk, protect client secrets like a password. Limit sharing them and never store them as plaintext.

Impersonation of authorized users

If your client secret is leaked, a malicious app can set the IAP authentication browser cookie on its domain to impersonate an authorized user. With this cookie, IAP authenticates the impersonated user for all apps that share the leaked client secret.

To mitigate this risk, avoid sharing clients between resources that also share authorized users. Set per-resource permissions to ensure that even if an impersonated user is authenticated, IAP won't authorize access.

User identity collection

If your client secret is leaked, a malicious app can use your client ID to collect the identities of your app's users. This is triggered when your users visit the malicious app.

When a user accesses an IAP-protected app for the first time, they're asked to share their identity with the app. This gives users control over their personal information. When a user consents to share their identity, the Google login system records that consent. IAP won't re-prompt the user on subsequent requests from any client ID in the same project.

Any user who has consented to share their identity with your app, and who visits the malicious app, will immediately have their identity shared without their consent.