How to End User OAuth for GCP

Let’s talk about end user authentication. I’ve been digging into the authentication space a bit and have some takeaways to share.

When you access a GCP service, there is authentication to determine who you are, authorization to determine what you can do and auditing that logs what you did. IAM is where you setup roles for authorization in regards what you can do in a project.

In the land of GCP there are a couple key ways to use credentials to access/login/authenticate to different services on the platform.

• End User Auth | OAuth Client ID : credentials that use OAuth 2.0 to access a service / Google APIs / private data on behalf of end users (including you). Usually it opens a browser window for authentication.
• Service Account: credentials that use a JSON file that has a private key to access a service on behalf of a computer / VM. Basically. it represents a non human user who needs access. No passwords and no login with browsers or cookies. Download the JSON file on the server if its outside GCP and pass it to the Cloud Client Libraries to generate credentials at runtime.
• API Key: credentials that use an API key to access public data anonymously It does not require user authentication which works with public data access.

Check out Authentication overview for more information on these different approaches.

This blog is focused on how to setup authentication with end user credentials and provides an example on how to use those credentials with Python at the end.

A common use case for end user authentication is to setup access to data for a web or mobile application you’ve built like Google Calendar data. I explored this from the use case of accessing a Cloud service from my laptop like Cloud Functions or BigQuery and not using a Service Account. In this type of use case, a Service Account is a more practical path, but that is not always an option.

I’m assuming you already have setup a Google Cloud project and know how to access the console.

Setup OAuth Consent Screen

When setting up credentials, start in the APIs & Services section on the Google Cloud console. You have to setup OAuth credentials consent if you haven’t already before you can setup credentials. What you setup here is the consent screen that your users will see in the browser redirect.

Thus, go to the OAuth consent screen first.

If you start on the Credentials page you, will see a CONFIGURE CONSENT SCREEN which indicates you need to authenticate first and that link will also take you to the OAuth consent screen.

Choose Internal if access is only needed in your organization and use External for when your product or service will be used by external end users. For my use case, Internal was what I needed which kept it simpler.

Include an App name that will be asking for consent and the support email.

Also, add Developer contact information, which can be the same as the support email if needed and SAVE AND CONTINUE.

When setting up the initial credential consent, you can setup Scopes. Scopes specify the type of data you want to potentially access about the end user and how much access you need for that end user account. This gets into the authorization area of access and it is limiting the actions an application can perform on behalf of the end user. Select scopes that a project needs access to and be conscientious about how much of the end user data do you really need.

When you select ADD OR REMOVE SCOPES, you can choose what scopes to include in the example below.

You can look up scopes and manually add them vs. searching through the list. Checkout the Google Scopes doc for more options.

After this section, choose SAVE AND CONTINUE and you will see the summary of the OAuth consent which you then Submit for verification.

If its External and requests sensitive scopes (e.g. Calendar, YouTube Data) or restricted scopes (e.g. Gmail, Drive) then it will potentially require a review for verification. Go here for more information on OAuth API verification FAQs.

Create Credentials

Once OAuth consent is setup, you will have the option to +Create Credentials using the link at the top of the screenshot below under Credentials.

These are the type of credentials you can create which are what was explained above. For working with end user authentication, I used OAuth client ID.

The Help me choose is good to use when you are navigating this and not sure.

Also for this example, I used the Application type Web application.

Midway down the Using Oauth 2.0 to Access Google APIs documentation provides a good run down of the application options to help you choose.

You can give the application a name especially to help identify the client in the console when it calls for authentication.

For what I wanted to use, I put the localhost URI in the Authorized redirect URIs.

If you plan to test something locally, make sure to include the above http://localhost:8080/ exactly; otherwise, it will give you a 400 error that the redirect is not authorized.

After you CREATE the credentials, it will show a summary of what you created. You can return to the Credentials dashboard and see the new credentials listed under OAuth 2.0 Client IDs section. There will be a down arrow on the right of the credential name, which is where you can download the JSON file that you will need to generate an access token.

Keep track of that filename and path.

Example Code to Get & Use Credentials

The code below can help test out your new credentials. This code loads credentials and further down, there is sample code on how to use the credentials to get an access token to a service like BigQuery.

from google_auth_oauthlib import flow
launch_browser = True # when using locally and False when remote
appflow = flow.InstalledAppFlow.from_client_secrets_file(
    'CLIENT_SECRETS.json',
    scopes=['https://www.googleapis.com/auth/bigquery'])

if launch_browser:
    appflow.run_local_server()
else:
    appflow.run_console()

credentials = appflow.credentials

CLIENT_SECRETS is the JSON file you download after you create your OAuth 2.0 credentials. Replace it with the path to that file or pass it in through an environment variable.

Here is a more detailed breakdown on the code above and checkout the google_auth_oauthlib docs for more information on this library.

Define Scopes that you want your application to access. Again you can get more scope options from Google Scopes doc.

scopes=['https://www.googleapis.com/auth/bigquery'])

Open a browser window to give authorization either automatically (run_local_server) or manually (run_console).

if launch_browser:
    appflow.run_local_server()
else:
    appflow.run_console()

Note, you want to open authentication in a browser that the email account you are logged into is authorized for under that credential and those scopes; otherwise, you get a not authorized message.

If OAuth is internal then the account has to be from your organization and it needs to be able to grant access to scopes you request. Usually this would be something like a person’s Calendar or Gmail. For this example, I made sure the BigQuery scope was attached to the OAuth consent, and I setup an IAM role that granted my account access.

Get the Access Token.

credentials = appflow.credentials

Send Access Token to the API to get access to the service. In this case, I sent it to the BigQuery API.

from google.cloud import bigquery

client = bigquery.Client(project=PROJECTID, credentials=credentials)

Replace PROJECTID with the GCP project id.

Test that the access works. The following is example code you can use to test out on a BigQuery dataset.

query_string = """SELECT name, SUM(number) as total
FROM `bigquery-public-data.usa_names.usa_1910_current`
WHERE name = 'William'
GROUP BY name;
"""
query_job = client.query(query_string)

# Print the results.
for row in query_job.result():  # Wait for the job to complete.
    print("{}: {}".format(row['name'], row['total']))

Note, the BigQuery dataset is public but my project is not. So I was able to kick off from my laptop a request to run a query on BigQuery in my private project with these credentials.

Wrap Up

This post gives an overview of GCP authentication access for end users. It steps through setting up the OAuth consent screen, setting up the credentials and provides example code to use to test this out.

I experimented with this to send a query from my laptop to run on BigQuery in my private GCP project. Why you might ask?… Because, it was a complex query that required other code to create, and it took longer than 15 minutes to run. Otherwise, I would have used BigQuery directly or Cloud Functions or Cloud Run but those were not the best options.

Authentication can be tricky, but it is doable, and as I know you know, important especially from a security standpoint. Spend some time experimenting with it to get familiar because once you get the hang of it, that is a rabbit hole you can avoid when working on applications.