OAuth application integration overview
This page provides an overview of OAuth application integration in Google Cloud.
You can use OAuth application integration to integrate your OAuth-basedapplications with Google Cloud. Federated users can use their identity provider(IdP) to sign in to the applications and access their Google Cloudproducts and data. OAuth application integration is a feature ofWorkforce Identity Federation.
To use OAuth application integration, you must first create a workforceidentity pool and provider. You can then register the OAuth-based applicationusing OAuth 2.0. Applications must be registered in the organization where yourworkforce identity pool and provider are configured.
Important: OAuth application integration works only with Identity-Aware Proxy.
OAuth application registration
To configure an application to access Google Cloud, youregister theapplication with Google Cloud by creatingOAuth client credentials.The credential contains a client secret. The application uses the access tokento access the Google Cloud products and data.
OAuth client and credential security risks and mitigations
You must secure access to the IAM APIs and the client ID andsecret. If the client ID and secret is leaked, security issues can result. Theseissues include the following:
Impersonation: A malicious user with your client ID and secret can create anapplication that masquerades as your legitimate application. They can thendo the following:
- Gain unauthorized access to the user data and permissions that yourapplication is entitled to.
- Perform actions on the user's behalf, such as posting content, making APIcalls, or modifying user settings.
- Perform phishing attacks, wherein the malicious user creates a fake loginpage that resembles the OAuth provider. The page can then trick users intoentering their credentials, which gives the credentials to the malicioususer who can then access their accounts.
Reputational damage: A security breach can harm the reputation of yourapplication and organization, causing users to lose trust.
In the event of a breach, to mitigate these and other risks, assess the natureof the breach and do the following:
Ensure that only trusted users have IAM access to theOAuthclient and credential API.
Rotate the client secret immediately, by rotating the client credential, asfollows:
What's next
- Learn how toManage OAuth applications.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.