Google Cloud Platform OAuth (Third-Party Account) — Setup Guide

Overview Use this guide to register a Google Cloud Platform app and connect it to your system as a "Third Party (Google Cloud Platform)" OAuth account. The app enables end-users to:

• Access Google Drive files and folders
• Integrate with Google Workspace (Gmail, Calendar, Docs, Sheets, Slides)
• Use Google Cloud Storage buckets and objects
• Access BigQuery datasets and analytics
• Integrate with Google Cloud AI/ML services
• Manage Google Cloud IAM and resource access

This document provides the exact permissions to grant, the redirect/authorization URLs to use, and the values to enter in your application. All values below use placeholders—replace them with your own.

---

1) Create a New Project in Google Cloud Console

1. Sign in to Google Cloud Console at https://console.cloud.google.com/
2. Click the project selector and Create Project.
3. Project Name: e.g., MinuteView Integration.
4. Organization: Select your organization (if applicable).
5. Click Create.

---

2) Enable Required APIs

Navigate to APIs & Services → Library and enable the APIs you need:

Core APIs

• Google Drive API - File storage and management
• Gmail API - Email integration
• Google Calendar API - Calendar management
• Google Sheets API - Spreadsheet integration
• Google Docs API - Document processing

Cloud Platform APIs

• Cloud Storage JSON API - Object storage
• BigQuery API - Data analytics
• Cloud AI Platform API - Machine learning services
• Cloud IAM API - Identity and access management

---

3) Configure OAuth 2.0 Consent Screen

1. Navigate to APIs & Services → OAuth consent screen.
2. User Type: Choose Internal (for organization users) or External (for public access).
3. Fill in required fields:
   • App name: e.g., MinuteView Integration
   • User support email: Your support email
   • Developer contact information: Your email
4. Scopes: Add the scopes you'll need (see scope selection below).
5. Test users: Add test user emails if using external user type.
6. Click Save and Continue.

---

4) Create OAuth 2.0 Credentials

1. Navigate to APIs & Services → Credentials.
2. Click Create Credentials → OAuth client ID.
3. Application type: Select Web application.
4. Name: e.g., MinuteView OAuth Client.
5. Authorized redirect URIs: Add your callback URL:
   • https://your-domain/MinuteView/PageGeneral/ServiceCallback.aspx
6. Click Create.

---

5) Collect App Credentials

From the OAuth client details:

• Client ID: YOUR-GOOGLE-CLIENT-ID.apps.googleusercontent.com
• Client Secret: YOUR-GOOGLE-CLIENT-SECRET

Download the JSON credentials file for safekeeping.

---

6) OAuth 2.0 Scopes

Google uses detailed scopes for API access:

Google Workspace Scopes

• https://www.googleapis.com/auth/drive - Full Google Drive access
• https://www.googleapis.com/auth/drive.file - Per-file Google Drive access
• https://www.googleapis.com/auth/gmail.readonly - Read-only Gmail access
• https://www.googleapis.com/auth/gmail.send - Send emails via Gmail
• https://www.googleapis.com/auth/calendar - Google Calendar access
• https://www.googleapis.com/auth/spreadsheets - Google Sheets access
• https://www.googleapis.com/auth/documents - Google Docs access

Google Cloud Platform Scopes

• https://www.googleapis.com/auth/cloud-platform - Full GCP access
• https://www.googleapis.com/auth/devstorage.read_write - Cloud Storage access
• https://www.googleapis.com/auth/bigquery - BigQuery access
• https://www.googleapis.com/auth/cloud-platform.read-only - Read-only GCP access

Profile Scopes

• https://www.googleapis.com/auth/userinfo.email - User email address
• https://www.googleapis.com/auth/userinfo.profile - User profile information
• openid - OpenID Connect

---

7) Authorization & Token Endpoints

• Authorize endpointhttps://accounts.google.com/o/oauth2/v2/auth

• Token endpointhttps://oauth2.googleapis.com/token

• Token Info endpointhttps://oauth2.googleapis.com/tokeninfo

• Revoke endpointhttps://oauth2.googleapis.com/revoke

---

8) Authorization Request

Use the Authorization Code flow with PKCE for enhanced security:

GET https://accounts.google.com/o/oauth2/v2/auth
  ?response_type=code
  &client_id={ClientId}
  &redirect_uri={UrlEncodedCallbackUrl}
  &scope={SpaceSeparatedScopes}
  &state={RandomStateParameter}
  &code_challenge={PKCEChallenge}
  &code_challenge_method=S256
  &access_type=offline
  &prompt=consent

Example scopes: https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/userinfo.email

---

9) Token Exchange (Server-Side)

When your app receives the code at the callback:

• POST to the token endpoint with:

  • grant_type=authorization_code
  • client_id={ClientId}
  • client_secret={ClientSecret}
  • code={authorization_code_from_callback}
  • redirect_uri={exact_same_redirect_uri}
  • code_verifier={PKCEVerifier}

You'll receive:

• access_token (typically valid for 1 hour; use for API calls)
• refresh_token (long-lived; use to get new access tokens)
• expires_in (token lifetime in seconds)
• scope (granted scopes)
• token_type (typically "Bearer")

---

10) Testing Checklist

• Sign in with a user who has access to the target Google services.

• Call sample endpoints to validate each capability:

  • User Info: GET https://www.googleapis.com/oauth2/v2/userinfo
  • Drive Files: GET https://www.googleapis.com/drive/v3/files
  • Gmail Messages: GET https://gmail.googleapis.com/gmail/v1/users/me/messages
  • Calendar Events: GET https://www.googleapis.com/calendar/v3/calendars/primary/events
  • Cloud Storage: GET https://storage.googleapis.com/storage/v1/b/{bucket}/o

• Confirm refresh token works and tokens are stored securely.

• Test file upload/download operations if applicable.

---

11) Security & Best Practices

• Treat Client Secret and refresh tokens as sensitive credentials; store in a secure credential store.
• Use PKCE (Proof Key for Code Exchange) for additional security.
• Use HTTPS for all communications.
• Implement token refresh logic before tokens expire.
• Use incremental authorization - request minimal scopes initially, request additional scopes as needed.
• Monitor API usage to stay within quotas and rate limits.
• Validate JWT tokens if using OpenID Connect.

---

12) Troubleshooting

• Redirect URI mismatch: Ensure the callback URL in the request exactly matches a registered redirect URI.
• Invalid scope: Verify you've requested valid scopes and they're enabled in the consent screen.
• Token expired: Implement automatic token refresh using the refresh token.
• Quota exceeded: Monitor your API usage in Google Cloud Console and request quota increases if needed.
• Access denied: Check user permissions for the specific Google services and resources.
• Invalid client: Verify your Client ID and Client Secret are correct and the OAuth client is properly configured.

---

13) Rate Limits & Quotas

Google APIs have various quotas and rate limits:

• Drive API: 1,000 requests per 100 seconds per user
• Gmail API: 1,000,000,000 quota units per day
• Calendar API: 1,000,000 requests per day
• Cloud Storage: 5,000 requests per 100 seconds

Monitor usage in Google Cloud Console → APIs & Services → Quotas.

---

14) Service Account Alternative

For server-to-server access without user interaction:

1. Create a Service Account in IAM & Admin → Service Accounts.
2. Download the JSON key file.
3. Use JWT assertion flow instead of OAuth 2.0.
4. Grant necessary permissions to the service account.

---

Appendix — Example URL Templates

Replace placeholders and URL-encode parameters appropriately.

Authorization URL:

https://accounts.google.com/o/oauth2/v2/auth
  ?response_type=code
  &client_id={ClientId}
  &redirect_uri={UrlEncodedCallbackUrl}
  &scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
  &state={RandomState}
  &code_challenge={PKCEChallenge}
  &code_challenge_method=S256
  &access_type=offline
  &prompt=consent

Token Exchange:

POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id={ClientId}
&client_secret={ClientSecret}
&code={CodeFromCallback}
&redirect_uri={ExactSameCallbackUrl}
&code_verifier={PKCEVerifier}

Token Refresh:

POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&client_id={ClientId}
&client_secret={ClientSecret}
&refresh_token={RefreshToken}

---

Common API Endpoints

• User Info: https://www.googleapis.com/oauth2/v2/userinfo
• Drive Files: https://www.googleapis.com/drive/v3/files
• Gmail Messages: https://gmail.googleapis.com/gmail/v1/users/me/messages
• Calendar Events: https://www.googleapis.com/calendar/v3/calendars/primary/events
• Cloud Storage Buckets: https://storage.googleapis.com/storage/v1/b
• BigQuery Datasets: https://bigquery.googleapis.com/bigquery/v2/projects/{project}/datasets

This configuration enables comprehensive integration with Google Workspace applications and Google Cloud Platform services for file management, communication, analytics, and cloud computing capabilities.