Power BI Connector for SAS Xpt

Build 25.0.9454

Create a Custom OAuth App

Creating a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting to SAS Xpt via a desktop application or a headless machine.

(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to SAS Xpt".)

However, you must create a custom OAuth application to connect to SAS Xpt via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.

Custom OAuth applications are useful if you want to:

  • control branding of the authentication dialog
  • control the redirect URI that the application redirects the user to after the user authenticates
  • customize the permissions that you are requesting from the user

The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).

Enable the Google Drive API

Follow these steps to enable the Google Drive API:

  1. Navigate to the Google Cloud Console.
  2. Select Library from the left-hand navigation menu. This opens the Library page.
  3. In the search field, enter "Google Drive API" and select Google Drive API from the search results.
  4. On the Google Drive API page, click ENABLE.

Create an OAuth Application

To create custom OAuth applications that retrieve the necessary OAuth connection properties, follow these procedures.

User Accounts (OAuth)

For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)

Do the following:

  1. Navigate to the Google Cloud Console.
  2. Create a new project or select an existing project.
  3. At the left-hand navigation menu, select Credentials.
  4. If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
  5. On the Credentials page, select Create Credentials > OAuth Client ID.
  6. In the Application Type menu, select Web application.
  7. Specify a name for your custom OAuth application.
  8. Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
  9. Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
    A window opens that displays your client Id and client secret.
  10. Record the client Id and Client Secret for later use as the OAuthClientId and OAuthClientSecret connection properties.

Note: The client secret remains accessible from from the Google Cloud Console.

Service Accounts (OAuthJWT)

Service accounts (AuthScheme OAuthJWT) can be used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.

To create a new service account:

  1. Navigate to the Google Cloud Console.
  2. Create a new project or select an existing project.
  3. At the left-hand navigation menu, select Credentials.
  4. Select Create Credentials > Service account.
  5. On the Create service account page, enter the service account name, ID, and an optional description.
  6. Click DONE. The Cloud Console redisplays the Credentials page.
  7. In the Service Accounts section, select the service account you just created.
  8. Click the Advanced Settings section and enable Domain-Wide Delegation.
  9. Record the Client ID shown for domain-wide delegation. You'll use this in the Admin Console.
  10. In a new tab, navigate to the Google Admin Console.
  11. Go to Security > API Controls > Domain-Wide Delegation.
  12. Click Manage Domain-Wide Delegation, then Add new.
  13. Enter the recorded Client ID and the list of required scopes. See OAuth Scopes and Endpoints for more details.
  14. Back in the Cloud Console, select the KEYS tab for the service account.
  15. Click ADD KEY > Create new key.
  16. Select a supported key type (see OAuthJWTCert and OAuthJWTCertType).
  17. Click CREATE. The key is automatically downloaded to your device.
  18. Record the additional information for later use.

In the service account flow, the connector exchanges a JSON Web Token (JWT) for the OAuthAccessToken. The private key downloaded in the steps above is used to sign the JWT. The connector inherits the permissions granted to the service account, including any scopes configured through domain-wide delegation.

Copyright (c) 2025 CData Software, Inc. - All rights reserved.
Build 25.0.9454