Connecting to a Google application using the website OAuth 2.0 authorization method
To enable IBM® App Connect to work with Google applications like Gmail and Google Sheets, you can connect by using one of two authorization methods. You can use an OAuth 2.0 client ID & secret, or provide credentials for App Connect to use by obtaining an OAuth 2.0 client ID, client secret, access token, and refresh token. This topic describes how to connect using the website OAuth 2.0 authorization method. With this method, App Connect generates an access and refresh token for you.
High-level procedure:
- Start with a project
- Define a consent screen
- Get an OAuth client ID and secret
- Enable the Google APIs that you want to let IBM App Connect use with your Google data
- Connect to a Google application
The procedure described in this page assumes that you do not already have a suitable OAuth client ID and client secret for a project that has the Google APIs enabled, and that to give IBM App Connect access to a consumer Gmail account you want to use the Google API Console to get an OAuth client ID and client secret. If you do have a suitable OAuth client ID and client secret, you can use those to connect to App Connect without having to create and configure a new project. You'll just need to update your Google application with the redirect URI provided by App Connect, see Updating the authorized redirect URI.
Start with a project
In the Google Cloud Platform, you configure details for OAuth 2.0 authentication and authorization in a project. You can either use an existing project or create a new project for IBM App Connect.
- Open the Google Cloud Platform https://console.developers.google.com/apis/dashboard.
(Sign in with your Google account)
- From the project drop-down menu, select an existing project or create a new project, as follows:
- Click NEW PROJECT
- If displayed, agree to the terms of service for Google Cloud Platform to continue
- Enter a project name that will help you manage OAuth for IBM App Connect; for example:
Project for IBM App Connect
- Click CREATE. (This returns you to the dashboard.)
- Open the Google Cloud Platform https://console.developers.google.com/apis/dashboard.
Define a consent screen
Use the OAuth consent screen option to define a consent screen.
The consent screen will only be used by you to get an access token and refresh token for IBM App Connect use.
- Select the OAuth consent screen option
- Select a User Type from one of the following options.
- Internal
- Select Internal to make your app available to other users in your
organization. In G Suite, depending on your organizational structure, settings, and policies, users
can create their own Client ID and Client secret or might use the G Suite account holder's Client ID
and Client secret. Those users will not see an 'unverified app' screen when configuring an access
token and refresh token, and can use the OAuth credentials to connect IBM App Connect to Google apps.
Only available to G Suite users.
- External
- Select External so that you can use your app yourself or make your app
available to any user with a Google account. These users might see an 'unverified app' screen when
configuring an access token and refresh token, but can use the OAuth credentials to connect IBM App Connect to Google apps.
External is selected by default if you are not a G Suite user.
- Click CREATE
- Enter an Application name to help you manage OAuth for IBM
App Connect; for example:
App for IBM App Connect
- Select your User support email address
- In the Authorized domains field, enter
ibm.com
to add this to your list of authorized domains - In the Developer contact information field, add an email address
- Click SAVE AND CONTINUE. (This displays the Scopes screen.)
- (Optional) Add scopes for the Google apps that you want to use. (Otherwise, you can select scope
permissions later.)To add scopes now:
- Click ADD OR REMOVE SCOPES
- Under Manually add scopes paste scopes for Google apps
- Click ADD TO TABLE
- Click UPDATE. This lists the scopes under headings like Your sensitive scopes.
For example, the recommended scope for GMail is:
https://www.googleapis.com/auth/gmail.modify
Recommended scopes for other Google apps:
- For Google Drive and Google Sheets apps:
https://www.googleapis.com/auth/drive
- For Google Analytics app:
https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.edit https://www.googleapis.com/auth/analytics.manage.users https://www.googleapis.com/auth/analytics.manage.users.readonly https://www.googleapis.com/auth/analytics.readonly
Click SAVE AND CONTINUE. (This displays the Test users screen.)
- (Optional) Add users as required, then click SAVE AND CONTINUE. (This displays the OAuth consent screen details.)
- Click BACK TO DASHBOARD
- In the Publishing status section, click PUBLISH APP. The Push to production pop up window is displayed.
- Click CONFIRM
Get an OAuth client ID and secret
Use the Credentials option to get an OAuth client ID and secret, and update the authorized redirect URI provided by App Connect.
- Click the Credentials option
- Click + CREATE CREDENTIALS
- Click OAuth client ID
- Click the Web application check box
- Enter a Name to help you manage OAuth for IBM App Connect;
for example:
Web client for IBM App Connect
- In the Authorized redirect URIs field, enter the redirect URI provided in the App Connect UI, then press return to add this to your list
- Click Create
The OAuth client is created, and the Client ID and secret are displayed. You can copy the values displayed, or download them as a JSON file from the Credentials page at any time. To continue, close the OAuth client created window.
If you later want to see the Client ID and secret, or add the redirect URI provided by App Connect, from the Google APIs and Services menu, click the Credentials and then click the name of the client you want to work with in the OAuth 2.0 Client IDs section.
Enable the Google APIs that you want to let IBM App Connect use with your Google data
For your project, enable the Google APIs that can be used. We'll later define the scopes of API use that you want to allow; for example, to only retrieve messages or to create new spreadsheets.
- Click the Library option
- Select a Google API that you want to use in IBM App Connect flows, then click ENABLE
Repeat these steps for each of the Google apps that you want to use in IBM App Connect; for example:- Gmail: Gmail API
- Google Analytics: Google Analytics API
- Google Drive: Google Drive API
- Google Sheets: Google Sheets API and Google Drive API
The APIs that you have enabled are listed on the dashboard; for example:
Select the scopes of APIs to use in IBM App Connect
If you did not select API scopes when defining the consent screen, edit the OAuth app to select the scopes of APIs for each of the Google apps that you want to use in IBM App Connect. For a list of the recommended scopes, see the "Define a consent screen" section of the preceding link.
- Select the OAuth consent screen option
- Click EDIT APP
- Click SAVE AND CONTINUE. (This displays the Scopes screen.)
- Click ADD OR REMOVE SCOPES
- Select API scopes from the list of enabled APIs, or manually add scopes
- Click UPDATE
- Click SAVE AND CONTINUE on the following screens until you see the OAuth consent screen details
- Click BACK TO DASHBOARD
Connect to a Google application
When you have completed all the steps above you are ready to connect to a Google application in the App Connect UI.
- Specify the Application client ID obtained in Get an OAuth client ID and secret
- Specify the Application client secret obtained in Get an OAuth client ID and secret
- Click Connect
- You are prompted to select the Google account that you want to sign in with
- If the
Unverified app
screen is displayed, click . For more information about unverified apps, see the Google doc Unverified apps. - In the Google consent screen, select the access you want to provide to App Connect.
- Click Continue to close the consent screen and return to the App Connect UI
- You are connected to your Google application and the account is created in App Connect