JDBC Driver for Google Spanner

Build 23.0.8839

Creating a Custom OAuth App

Creating a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting to Google Spanner via a desktop application or a headless machine.

(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to Google Spanner".)

However, you must create a custom OAuth application to connect to Google Spanner via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.

Custom OAuth applications are useful if you want to:

  • control branding of the authentication dialog
  • control the redirect URI that the application redirects the user to after the user authenticates
  • customize the permissions that you are requesting from the user

The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).

Enable the Spanner API

Follow these steps to enable the Spanner API:

  1. Navigate to the Google Cloud Console.
  2. Select Library from the left-hand navigation menu. This opens the Library page.
  3. In the search field, enter "Spanner API" and select Spanner API from the search results.
  4. On the Spanner API page, click ENABLE.

Create an OAuth Application

To create custom OAuth applications that retrieve the necessary OAuth connection properties, follow these procedures.

User Accounts (OAuth)

For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)

Do the following:

  1. Navigate to the Google Cloud Console.
  2. Create a new project or select an existing project.
  3. At the left-hand navigation menu, select Credentials.
  4. If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
  5. On the Credentials page, select Create Credentials > OAuth Client ID.
  6. In the Application Type menu, select Web application.
  7. Specify a name for your custom OAuth application.
  8. Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
  9. Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
    A window opens that displays your client Id and client secret.
  10. Record the client Id and Client Secret for later use as the OAuthClientId and OAuthClientSecret connection properties.

Note: The client secret remains accessible from from the Google Cloud Console.

Service Accounts (OAuthJWT)

Service accounts (AuthScheme OAuthJWT) can be used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.

To create a new service account:

  1. Navigate to the Google Cloud Console.
  2. Create a new project or select an existing project.
  3. At the left-hand navigation menu, select Credentials.
  4. Select Create Credentials > Service account.
  5. On the Create service account page, enter the Service account name, the Service account ID, and, optionally, a description.
  6. Click DONE. The Cloud Console redisplays the Credentials page.
  7. In the Service Accounts section, select the service account you just created.
  8. Click the KEYS tab.
  9. Click ADD KEY > Create new key.
  10. Select any supported Key type (see OAuthJWTCert and OAuthJWTCertType).
  11. Click CREATE. The key is automatically downloaded to your device, and any additional information specific to the key is displayed.
  12. Record the additional information for future use.

To complete the service account flow, generate a private key in the Google Cloud Console. In the service account flow, the driver exchanges a JSON Web token (JWT) for the OAuthAccessToken. The private key is required to sign the JWT. The driver will have the same permissions granted to the service account.

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 23.0.8839