Manage OAuth application

This guide shows you how to manage OAuth-based application integrations withGoogle Cloud.

Important: OAuth application integration works only with Identity-Aware Proxy.

At a high level, to integrate an OAuth-based application, you do the following:

  1. Create an OAuth client.
  2. Create an OAuth client credential.
  3. In the OAuth client credential, obtain the client secret. To learn aboutrisks associated with storing and accessing the client secret and strategiesthat can help mitigate them, seeOAuth client and credential security risks and mitigations.

After you have completed these steps, the OAuth-based application can accessGoogle Cloud products and data.

Before you begin

  1. You must have a Google Cloud organization set up.

  2. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

    gcloudinit

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  3. You must have set up a workforce identity pool and provider in theorganization in which you will register the OAuth application. Learnhow to set up workforce identity federation forMicrosoft Entra ID,Okta, andother OIDC and SAML 2.0 providers.

Required roles

To get the permissions that you need to register an OAuth application for your organization, ask your administrator to grant you theIAM OAuth Client Admin (roles/iam.oauthClientAdmin) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Manage OAuth clients

This section shows you how to manage OAuth clients.

Create an OAuth client

To create an OAuth client, do the following:

gcloud

gcloudiamoauth-clientscreateAPP_OAUTH_CLIENT_ID\--project=PROJECT_ID\--location=global\--client-type="CONFIDENTIAL_CLIENT"\--display-name="My OAuth application"\--description="An application registration for MyApp"\--allowed-scopes="https://www.googleapis.com/auth/cloud-platform"\--allowed-redirect-uris="REDIRECT_URI"\--allowed-grant-types="authorization_code_grant"

Replace the following:

  • APP_OAUTH_CLIENT_ID: a client ID to representthis OAuth client.
  • PROJECT_ID: the ID of the project where youcreated your workforce identity pool and provider. The project must becreated in the organization where your workforce pool and provider werecreated.
  • REDIRECT_URI: the redirect URI for theOAuth application—for example,https://myapp.com/signin-callback.

REST

curl-XPOST\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\-d"{ \        'allowedGrantTypes': ['AUTHORIZATION_CODE_GRANT'], \        'allowedRedirectUris': ['REDIRECT_URI'], \        'allowedScopes': ['https://www.googleapis.com/auth/cloud-platform'], \        'clientType': 'CONFIDENTIAL_CLIENT', \        'description': 'My OAuth client description', \        'disabled': false, \        'displayName': 'My OAuth client'}"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients\?oauthClientId\=APP_OAUTH_CLIENT_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youcreated your workforce identity pool and provider. The project must becreated in the organization where your workforce pool and provider werecreated.
  • REDIRECT_URI: the redirect URI for theOAuth application—for example,https://myapp.com/signin-callback.
  • APP_OAUTH_CLIENT_ID: a client ID to representthis OAuth client.

After you register the application, youcreate the OAuth client credentialand obtain the secret that the OAuth application uses to accessGoogle Cloud.

List OAuth clients

To list registered OAuth clients, run the following command:

gcloud

gcloudiamoauth-clientslist\--project=PROJECT_ID\--location=global

REST

curl\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients

ReplacePROJECT_ID with the ID of the project whereyour OAuth applications are registered.

Describe an OAuth client

To describe an OAuth client, run the following command:

gcloud

gcloudiamoauth-clientsdescribeAPP_OAUTH_CLIENT_ID\--projectPROJECT_ID\--locationglobal

Replace the following:

  • APP_OAUTH_CLIENT_ID: the ID of the OAuth clientthat you want to to describe
  • PROJECT_ID: the ID of the project where youregistered your OAuth application

REST

curl\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the ID of the OAuth clientthat you want to to describe

Update an OAuth client

To update an OAuth client, run the following command.

gcloud

gcloudiamoauth-clientsupdateAPP_OAUTH_CLIENT_ID\--project=PROJECT_ID\--location=global\--allowed-redirect-uris="REDIRECT_URI"

Replace the following:

  • APP_OAUTH_CLIENT_ID: the OAuth client ID forthe OAuth client that you want to update
  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • REDIRECT_URI: the redirect URI for the OAuthapplication

To update other fields, use flags listed ingcloud iam oauth-clients update.

REST

curl-d'{"allowedRedirectUris":"REDIRECT_URI"}'\-H"Content-Type: application/json"-XPATCH\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID?update_mask=allowed_redirect_uris

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID forthe OAuth client that you want to update
  • REDIRECT_URI: the redirect URI for the OAuthclient

To update other fields, setupdate_mask to the field names listed ingcloud iam oauth-clients update.

Delete an OAuth client

To delete an OAuth client, run the following command:

gcloud

gcloudiamoauth-clientsdeleteAPP_OAUTH_CLIENT_ID\--projectPROJECT_ID\--locationglobal

Replace the following:

  • APP_OAUTH_CLIENT_ID: the OAuth client ID todelete
  • PROJECT_ID: the ID of the project where youregistered your OAuth application

REST

curl-XDELETE\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID todelete

Manage OAuth client credentials

This section shows you how to manage OAuth client credentials for theOAuth client.

Create an OAuth client credential

To create an OAuth client credential, run the followingcommand:

gcloud

gcloudiamoauth-clientscredentialscreateAPP_OAUTH_CLIENT_CREDENTIAL_ID\--oauth-client=APP_OAUTH_CLIENT_ID\--display-name='My OAuth client credential'\--location='global'

Replace the following:

  • APP_OAUTH_CLIENT_CREDENTIAL_ID: an ID thatrepresents this client credential
  • APP_OAUTH_CLIENT_ID: the OAuth client ID you canobtain bydescribing the registered OAuth clientapplication

REST

curl-XPOST\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\-d"{'disabled': false, 'displayName': 'My OAuth client credential'}"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials\?oauthClientCredentialId=APP_OAUTH_CLIENT_CREDENTIAL_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID you canobtain bydescribing the registered OAuth clientapplication
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: an ID thatrepresents this client credential

List OAuth client credentials

To list OAuth client credentials, run the following command:

gcloud

gcloudiamoauth-clientscredentialslist\--oauth-client=APP_OAUTH_CLIENT_ID\--project=PROJECT_ID\--location=global

Replace the following:

  • APP_OAUTH_CLIENT_ID: the OAuth client ID forwhich to list credentials
  • PROJECT_ID: the ID of the project where youregistered your OAuth application

REST

curl\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/$PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID forwhich to list credentials

Describe an OAuth client credential

To describe an OAuth client credential, run the following command. You canobtain the client secret by inspecting the output.

gcloud

gcloudiamoauth-clientscredentialsdescribeAPP_OAUTH_CLIENT_CREDENTIAL_ID\--oauth-client=APP_OAUTH_CLIENT_ID\--location='global'

Replace the following:

  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the redirect URIfor the OAuth client
  • APP_OAUTH_CLIENT_ID: the OAuth client ID you canobtain bydescribing the client application registration

REST

curl\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials/APP_OAUTH_CLIENT_CREDENTIAL_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the redirect URIfor the OAuth client
  • APP_OAUTH_CLIENT_ID: the OAuth client ID you canobtain bydescribing the client application registration

In the output,clientSecret is the client secret. This is the secret that theOAuth application uses to access Google Cloud.

Warning: The client secret must be stored securely. If the client secret isleaked, you must delete and re-create the client credential. To learn more,seeOAuth client and credential security risks and mitigations.

Update an OAuth client credential

To update an OAuth client credential, run the followingcommand:

gcloud

gcloudiamoauth-clientscredentialsupdateAPP_OAUTH_CLIENT_CREDENTIAL_ID\--client-id=APP_OAUTH_CLIENT_ID\--display-name="My new credential name"\--location=global

REST

curl-d'{"displayName":"My new credential name"}'-XPATCH\-H"Content-Type: application/json"\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials/APP_OAUTH_CLIENT_CREDENTIAL_ID?update_mask=display_name

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the redirect URIfor the OAuth client
  • APP_OAUTH_CLIENT_ID: the OAuth client ID thatyou can obtain bydescribing the client applicationregistration

Disable an OAuth client credential

Before you can delete an OAuth client credential, you must disable it. Todisable the OAuth client credential, run the following command:

gcloud

gcloudiamoauth-clientscredentialsupdateAPP_OAUTH_CLIENT_CREDENTIAL_ID\--oauth-client=APP_OAUTH_CLIENT_ID\--disabled\--project=PROJECT_ID\--location=global

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the clientcredential ID to disable

REST

curl-d'{"disabled":"true"}'\-H"Content-Type: application/json"-XPATCH\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials/APP_OAUTH_CLIENT_CREDENTIAL_ID?update_mask=disabled

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the OAuth client ID
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the clientcredential ID to disable

Delete an OAuth client credential

To delete an OAuth client credential, run the following command:

gcloud

gcloudiamoauth-clientscredentialsdeleteAPP_OAUTH_CLIENT_CREDENTIAL_ID\--project=PROJECT_ID\--oauth-client=APP_OAUTH_CLIENT_ID\--location=global

Replace the following:

  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the OAuth client ID
  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the client credential ID

REST

curl-XDELETE\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\-H"Content-Type: application/json"\-H"X-Goog-User-Project:PROJECT_ID"\https://iam.googleapis.com/v1/projects/PROJECT_ID/locations/global/oauthClients/APP_OAUTH_CLIENT_ID/credentials/APP_OAUTH_CLIENT_CREDENTIAL_ID

Replace the following:

  • PROJECT_ID: the ID of the project where youregistered your OAuth application
  • APP_OAUTH_CLIENT_ID: the client credential ID
  • APP_OAUTH_CLIENT_CREDENTIAL_ID: the OAuth client ID

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.