Creating a Custom OAuth Application
Creating a Custom OAuth Application
CData embeds OAuth Application Credentials with CData branding that can be used when connecting to Google Ads via a desktop application or a headless machine. (For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to Google Ads".)However, you must create a custom OAuth application to connect to Google Ads via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway. Custom OAuth applications are useful if you want to:
- control branding of the authentication dialog;
- control the redirect URI that the application redirects the user to after the user authenticates; or
- customize the permissions that you are requesting from the user.
The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth/OAuthPKCE) and Service Accounts (OAuth/JWT).
User Accounts (OAuth/OAuthPKCE)
For users whose AuthScheme is OAuth or OAuthPKCE, and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)Do the following:
- Navigate to the Google Cloud Console.
- Create a new project or select an existing project.
- At the left-hand navigation menu, select Credentials.
- If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
- On the Credentials page, select Create Credentials > OAuth Client ID.
- In the Application Type menu, select Web application.
- Specify a name for your custom OAuth application.
- Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
- Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
- The Google Cloud Console opens a window that displays your client Id and client secret. Record the client Id and Client Secret for later use.
Note: The client secret remains accessible from from the Google Cloud Console.
Service Accounts (OAuthJWT)
Service accounts (AuthScheme OAuthJWT) are used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.To create a new service account:
- Navigate to the Google Cloud Console.
- Create a new project or select an existing project.
- At the left-hand navigation menu, select Credentials.
- Select Create Credentials > Service account.
- On the Create service account page, enter the Service account name, and the Service account ID. If desired, enter a description.
- Click DONE. The Cloud Console redisplays the Credentials page.
- In the Service Accounts section, select the service account you just created.
- Click the KEYS tab.
- Click ADD KEY > Create new key.
- Select any supported Key type (see OAuthJWTCert and OAuthJWTCertType).
- Click CREATE. The key is automatically downloaded to your device, and any additional information specific to the key is displayed.
Record the additional information for future use. - To complete the service account flow, generate a private key in the Google Cloud Console. In the service account flow, the driver exchanges a JSON Web token (JWT) for the OAuthAccessToken. The private key is required to sign the JWT; using it gives the driver the same permissions as those that were granted to the service account.