Stay organized with collections Save and categorize content based on your preferences.
This page describes how to create an OAuth client when using the customized OAuth configuration to enable IAP with Google identities.
If you want to use a Google-managed OAuth client to use for enabling IAP, see Enable IAP using a Google-managed OAuth client.
Create an OAuth clientYou can create a maximum of 36 OAuth clients for each project with the Google Cloud console. You can create a maximum of 500 OAuth clients for each project with the Google Cloud CLI.
ConsoleComplete the following steps to create an OAuth client by using the Google Cloud console.
Configure the OAuth consent screen by following the instructions in Setting up your OAuth consent screen.
Create an OAuth client by following the instructions in Setting up OAuth 2.0.
Caution: The Identity-Aware Proxy OAuth API is deprecated and is scheduled to be shut down. For more details on the deprecation, see Identity-Aware Proxy OAuth API deprecation.
Known limitationsFollowing are limitations for OAuth clients created programmatically using the API:
The OAuth consent screen, which contains branding information for users, is known as a brand. Brands can be limited to internal users or public users. An internal brand makes the OAuth flow accessible to someone who belongs to the same Google Workspace organization as the project. A public brand makes the OAuth flow available to anyone on the internet.
Brands can be created manually or programmatically by using an API. Brands created using an API are automatically configured with the following settings:
Internal. You must manually set to public.
Unreviewed. You must trigger a brand review.
To set an internal brand to public:
identityAwareProxyClients.create() API will stop working, as it requires the brand to be set to internal. Therefore, you cannot create new OAuth clients using the API after an internal brand is made public.
To trigger a brand review for an unreviewed API-created brand:
The verification process may take up to several weeks, and you will receive email updates as it progresses. Learn more about verification. While the verification process is ongoing, you can still use the application within your Google Workspace organization. Learn more about how your application will behave before it's verified.
Required permissionsBefore creating the client, ensure that the caller has been granted the following permissions:
clientauthconfig.brands.listclientauthconfig.brands.createclientauthconfig.brands.getclientauthconfig.clients.createclientauthconfig.clients.listWithSecretsclientauthconfig.clients.getWithSecretclientauthconfig.clients.deleteclientauthconfig.clients.updateThese permissions are included in the Editor (roles/editor) and Owner (roles/owner) basic roles, however we recommend that you create a custom role that contains these permissions and grant it to the caller instead.
The following steps describe how to configure the consent screen and create and oauth client for IAP.
Configuring consent screenCheck if you already have an existing brand by using the list command. You may only have one brand per project.
gcloud iap oauth-brands list
The following is an example gcloud response, if the brand exists:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]
applicationTitle: [APPLICATION_TITLE]
supportEmail: [SUPPORT_EMAIL]
orgInternalOnly: true
orgInternalOnly: false), but you want to restrict it to internal users, you must make that change manually from the OAuth consent screen in order to create OAuth clients with this API.If no brand exists, use the create command:
gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
The above fields are required when calling this API:
supportEmail: The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.
applicationTitle: The application name displayed on OAuth consent screen.
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]
applicationTitle: [APPLICATION_TITLE]
supportEmail: [SUPPORT_EMAIL]
orgInternalOnly: true
Use the create command to create a client. Use the brand name from previous step.
gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME
The response contains the following fields:
name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID]
secret: [CLIENT_SECRET]
displayName: [NAME]
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["This page provides instructions on creating OAuth clients for use with Identity-Aware Proxy (IAP) and customized OAuth configurations, using either the Google Cloud console or the Google Cloud CLI."],["You can create up to 36 OAuth clients per project using the Google Cloud console, or up to 500 using the Google Cloud CLI, but OAuth clients created via the API can only be managed through the API and are exclusively for IAP."],["Creating a brand, which holds OAuth consent screen information, is required and can be internal or public, and brands created via API are initially internal and unreviewed, requiring manual updates to change to public and trigger a review process."],["Before creating an OAuth client, the caller needs specific permissions, such as `clientauthconfig.brands.create` and `clientauthconfig.clients.create`, which can be granted through basic or custom roles."],["The setup process for an IAP OAuth client involves configuring the OAuth consent screen by checking for or creating a brand, then using the `gcloud` command to create the client using the brand name."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4