Search K
Appearance
Google Cloud Platform OAuth (Third-Party Account) — Setup Guide
Overview Use this guide to register a Google Cloud Platform app and connect it to your system as a "Third Party (Google Cloud Platform)" OAuth account. The app enables end-users to:
- Access Google Drive files and folders
- Integrate with Google Workspace (Gmail, Calendar, Docs, Sheets, Slides)
- Use Google Cloud Storage buckets and objects
- Access BigQuery datasets and analytics
- Integrate with Google Cloud AI/ML services
- Manage Google Cloud IAM and resource access
This document provides the exact permissions to grant, the redirect/authorization URLs to use, and the values to enter in your application. All values below use placeholders—replace them with your own.
1) Create a New Project in Google Cloud Console
- Sign in to Google Cloud Console at
https://console.cloud.google.com/ - Click the project selector and Create Project.
- Project Name: e.g.,
MinuteView Integration. - Organization: Select your organization (if applicable).
- Click Create.
2) Enable Required APIs
Navigate to APIs & Services → Library and enable the APIs you need:
Core APIs
- Google Drive API - File storage and management
- Gmail API - Email integration
- Google Calendar API - Calendar management
- Google Sheets API - Spreadsheet integration
- Google Docs API - Document processing
Cloud Platform APIs
- Cloud Storage JSON API - Object storage
- BigQuery API - Data analytics
- Cloud AI Platform API - Machine learning services
- Cloud IAM API - Identity and access management
3) Configure OAuth 2.0 Consent Screen
- Navigate to APIs & Services → OAuth consent screen.
- User Type: Choose Internal (for organization users) or External (for public access).
- Fill in required fields:
- App name: e.g.,
MinuteView Integration - User support email: Your support email
- Developer contact information: Your email
- App name: e.g.,
- Scopes: Add the scopes you'll need (see scope selection below).
- Test users: Add test user emails if using external user type.
- Click Save and Continue.
4) Create OAuth 2.0 Credentials
- Navigate to APIs & Services → Credentials.
- Click Create Credentials → OAuth client ID.
- Application type: Select Web application.
- Name: e.g.,
MinuteView OAuth Client. - Authorized redirect URIs: Add your callback URL:
https://your-domain/MinuteView/PageGeneral/ServiceCallback.aspx
- Click Create.
5) Collect App Credentials
From the OAuth client details:
- Client ID:
YOUR-GOOGLE-CLIENT-ID.apps.googleusercontent.com - Client Secret:
YOUR-GOOGLE-CLIENT-SECRET
Download the JSON credentials file for safekeeping.
6) OAuth 2.0 Scopes
Google uses detailed scopes for API access:
Google Workspace Scopes
https://www.googleapis.com/auth/drive- Full Google Drive accesshttps://www.googleapis.com/auth/drive.file- Per-file Google Drive accesshttps://www.googleapis.com/auth/gmail.readonly- Read-only Gmail accesshttps://www.googleapis.com/auth/gmail.send- Send emails via Gmailhttps://www.googleapis.com/auth/calendar- Google Calendar accesshttps://www.googleapis.com/auth/spreadsheets- Google Sheets accesshttps://www.googleapis.com/auth/documents- Google Docs access
Google Cloud Platform Scopes
https://www.googleapis.com/auth/cloud-platform- Full GCP accesshttps://www.googleapis.com/auth/devstorage.read_write- Cloud Storage accesshttps://www.googleapis.com/auth/bigquery- BigQuery accesshttps://www.googleapis.com/auth/cloud-platform.read-only- Read-only GCP access
Profile Scopes
https://www.googleapis.com/auth/userinfo.email- User email addresshttps://www.googleapis.com/auth/userinfo.profile- User profile informationopenid- OpenID Connect
7) Authorization & Token Endpoints
Authorize endpoint
https://accounts.google.com/o/oauth2/v2/authToken endpoint
https://oauth2.googleapis.com/tokenToken Info endpoint
https://oauth2.googleapis.com/tokeninfoRevoke endpoint
https://oauth2.googleapis.com/revoke
8) Authorization Request
Use the Authorization Code flow with PKCE for enhanced security:
GET https://accounts.google.com/o/oauth2/v2/auth
?response_type=code
&client_id={ClientId}
&redirect_uri={UrlEncodedCallbackUrl}
&scope={SpaceSeparatedScopes}
&state={RandomStateParameter}
&code_challenge={PKCEChallenge}
&code_challenge_method=S256
&access_type=offline
&prompt=consentExample scopes: https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/userinfo.email
9) Token Exchange (Server-Side)
When your app receives the code at the callback:
POST to the token endpoint with:
grant_type=authorization_codeclient_id={ClientId}client_secret={ClientSecret}code={authorization_code_from_callback}redirect_uri={exact_same_redirect_uri}code_verifier={PKCEVerifier}
You'll receive:
access_token(typically valid for 1 hour; use for API calls)refresh_token(long-lived; use to get new access tokens)expires_in(token lifetime in seconds)scope(granted scopes)token_type(typically "Bearer")
10) Testing Checklist
Sign in with a user who has access to the target Google services.
Call sample endpoints to validate each capability:
- User Info:
GET https://www.googleapis.com/oauth2/v2/userinfo - Drive Files:
GET https://www.googleapis.com/drive/v3/files - Gmail Messages:
GET https://gmail.googleapis.com/gmail/v1/users/me/messages - Calendar Events:
GET https://www.googleapis.com/calendar/v3/calendars/primary/events - Cloud Storage:
GET https://storage.googleapis.com/storage/v1/b/{bucket}/o
- User Info:
Confirm refresh token works and tokens are stored securely.
Test file upload/download operations if applicable.
11) Security & Best Practices
- Treat Client Secret and refresh tokens as sensitive credentials; store in a secure credential store.
- Use PKCE (Proof Key for Code Exchange) for additional security.
- Use HTTPS for all communications.
- Implement token refresh logic before tokens expire.
- Use incremental authorization - request minimal scopes initially, request additional scopes as needed.
- Monitor API usage to stay within quotas and rate limits.
- Validate JWT tokens if using OpenID Connect.
12) Troubleshooting
- Redirect URI mismatch: Ensure the callback URL in the request exactly matches a registered redirect URI.
- Invalid scope: Verify you've requested valid scopes and they're enabled in the consent screen.
- Token expired: Implement automatic token refresh using the refresh token.
- Quota exceeded: Monitor your API usage in Google Cloud Console and request quota increases if needed.
- Access denied: Check user permissions for the specific Google services and resources.
- Invalid client: Verify your Client ID and Client Secret are correct and the OAuth client is properly configured.
13) Rate Limits & Quotas
Google APIs have various quotas and rate limits:
- Drive API: 1,000 requests per 100 seconds per user
- Gmail API: 1,000,000,000 quota units per day
- Calendar API: 1,000,000 requests per day
- Cloud Storage: 5,000 requests per 100 seconds
Monitor usage in Google Cloud Console → APIs & Services → Quotas.
14) Service Account Alternative
For server-to-server access without user interaction:
- Create a Service Account in IAM & Admin → Service Accounts.
- Download the JSON key file.
- Use JWT assertion flow instead of OAuth 2.0.
- Grant necessary permissions to the service account.
Appendix — Example URL Templates
Replace placeholders and URL-encode parameters appropriately.
Authorization URL:
https://accounts.google.com/o/oauth2/v2/auth
?response_type=code
&client_id={ClientId}
&redirect_uri={UrlEncodedCallbackUrl}
&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
&state={RandomState}
&code_challenge={PKCEChallenge}
&code_challenge_method=S256
&access_type=offline
&prompt=consentToken Exchange:
POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id={ClientId}
&client_secret={ClientSecret}
&code={CodeFromCallback}
&redirect_uri={ExactSameCallbackUrl}
&code_verifier={PKCEVerifier}Token Refresh:
POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&client_id={ClientId}
&client_secret={ClientSecret}
&refresh_token={RefreshToken}Common API Endpoints
- User Info:
https://www.googleapis.com/oauth2/v2/userinfo - Drive Files:
https://www.googleapis.com/drive/v3/files - Gmail Messages:
https://gmail.googleapis.com/gmail/v1/users/me/messages - Calendar Events:
https://www.googleapis.com/calendar/v3/calendars/primary/events - Cloud Storage Buckets:
https://storage.googleapis.com/storage/v1/b - BigQuery Datasets:
https://bigquery.googleapis.com/bigquery/v2/projects/{project}/datasets
This configuration enables comprehensive integration with Google Workspace applications and Google Cloud Platform services for file management, communication, analytics, and cloud computing capabilities.