To enable IBM App Connect to work with Google™ applications like Gmail™ and Google Sheets™, you need to get an OAuth 2.0 client ID, client secret, access token, and refresh token with appropriately-selected scopes for Google APIs.

High-level procedure:

  1. In the Google API Console or the Google Cloud Platform Console, select or create a project
  2. Define a consent screen for you to use to authorise a request to get an access token and refresh token
  3. Get an OAuth client ID and secret
  4. Enable the Google APIs that you want to let IBM App Connect use with your Google data
  5. Get an access token and refresh token and select API scopes

The procedure described in this page assumes that you do not already have a suitable OAuth client ID and client secret for a project that has the Google APIs enabled, and that to give IBM App Connect access to a consumer Gmail account you want to use the Google API Console to get an OAuth client ID and client secret and use the Google Developers OAuth 2.0 Playground to get an access token and refresh token.

If you do have a suitable OAuth client ID and client secret, you can use those to get an access token and refresh token and select API scopes without having to create and configure a new project. Likewise, if you have an access token and refresh token with appropriate API scopes, you can use those tokens with your client ID and client secret in IBM App Connect if you want to create a new account for a Google application.

There are other ways to get the required OAuth credentials, such as if you are G Suite account holder using the Google Cloud Platform (GCP) Console (an alternative to the Google API Console described in this page). For more information about Google use of OAuth 2.0, see the Google docs such as Using OAuth 2.0 to Access Google APIs and Control which third-party & internal apps access G Suite data.

Start with a project

In the Google API Console, you configure details for OAuth 2.0 authentication and authorization in a project.

You can either use an existing project or create a new project for IBM App Connect.

  • Read more

    1. Open the Google API Console https://console.developers.google.com/apis/dashboard.
      (Sign in with your Google account)
    2. From the project drop-down menu, select an existing project or create a new project, as follows:
      1. Click NEW PROJECT
      2. If displayed, agree to the terms of service for Google Cloud Platform to continue
      3. Enter a project name that will help you manage OAuth for IBM App Connect; for example: Project for IBM App Connect
      4. Click CREATE. (This returns you to the dashboard.)
Google API Console – Create a new project

Define a consent screen for you to use to authorise a request to get an access token and refresh token

Use the OAuth consent screen option to define a consent screen.
The consent screen will only be used by you to get an access token and refresh token for IBM App Connect use.

  • Read more

    1. Select the OAuth consent screen option
    2. If you are not a G Suite user, the ‘External’ check box is selected, so you can use your app yourself or can make your app available to any user with a Google account. These users might see an “unverified app” screen when configuring an access token and refresh token, but can use the OAuth credentials to connect IBM App Connect to Google apps.

      As a G Suite user, you can select the ‘Internal’ check box to make your app available to other users in your organization. In G Suite, depending on your organizational structure, settings, and policies, users can create their own Client ID and Client secret or might use the G Suite account holder’s Client ID and Client secret. Those users will not see an “unverified app” screen when configuring an access token and refresh token, and can use the OAuth credentials to connect IBM App Connect to Google apps.

    3. Click CREATE
    4. Enter an Application name to help you manage OAuth for IBM App Connect; for example: App for IBM App Connect
    5. In the Authorized domains field, enter ibm.com, then press return to add this to your list of authorized domains
    6. Click Save. (This displays the consent screen details.)
Google API Console – Create a new consent screen

Get an OAuth client ID and secret

Use the Credentials option to get an OAuth client ID and secret.

  • Read more

    1. Click the Credentials option
    2. Click + CREATE CREDENTIALS
    3. Click OAuth client ID
    4. Click ‘Web application’ check box
    5. Enter a Name to help you manage OAuth for IBM App Connect; for example: Web client for IBM App Connect
    6. In the ‘Authorized redirect URIs’ field, enter the redirect URI for Google API playground (in this procedure, we later use that to get the access token and refresh token): https://developers.google.com/oauthplayground, then press return to add this to your list
    7. Click Create

    The OAuth client is created, and the Client ID and secret are displayed. You can copy the values displayed, or download them as a JSON file from the Credentials page at any time.

    To continue, close the ‘OAuth client created’ window.

Google API Console – Create a new client ID and secret

If you later want to see the Client ID and secret, or add redirect URIs for other IBM App Connect services, from the dashboard click the Credentials option and then click the row under OAuth 2.0 Client IDs

Enable the Google APIs that you want to let IBM App Connect use with your Google data

For your project, enable the Google APIs that can be used. We’ll later define the scopes of API use that you want to allow; for example, to only retrieve messages or to create new spreadsheets.

  • Read more

    1. Click the Library option
    2. Select a Google API that you want to use in IBM App Connect flows, then click ENABLE

    Repeat these steps for each of the Google apps that you want to use in IBM App Connect; for example:

    Gmail			Gmail API
    Google Analytics        Google Analytics API
    Google Drive		Google Drive API
    Google Sheets		Google Sheets API	
    

The APIs that you have enabled are listed on the dashboard; for example:

Google API Console dashboard, showing the list of APIs enabled

Get an access token and refresh token and select API scopes

The following steps use the Google Developers OAuth 2.0 Playground to get an access token and refresh token, and select the scopes of APIs for each of the Google apps that you want to use in IBM App Connect.

This stage selects the API scopes and gets an access token and refresh token for the Google account that you want IBM App Connect to use. That account can be different to the Google account used in earlier stages to create the Google app (to get the client ID and client secret).

If you want IBM App Connect to be able to perform a complete set of events and actions, you can select the scopes with the highest permissions, as listed in this section. You can limit the permissions for IBM App Connect so that it can only perform a subset of events and actions; by getting an access token with only the scopes needed for one Google application, and by selecting only the most-restricted scopes that are needed for an event or action. You can get several access tokens, each with a different restricted selection of scopes needed for events/actions on one or more Google applications. For example, you might get an access token with the scope https://www.googleapis.com/auth/gmail.readonly to permit IBM App Connect flows to be triggered by the New email event and to perform the Retrieve emails action.

  • Read more

    1. Display the Google Developers OAuth 2.0 Playground: https://developers.google.com/oauthplayground/
    2. Specify your client ID and client secret:
      1. Click the Settings icon (on the right)
      2. Select the ‘Use your own OAuth credentials’ checkbox
      3. Enter your OAuth Client ID and OAuth Client secret
      4. Click Close
      Google Developers OAuth 2.0 Playground, setting your client ID and secret
    3. In ‘Step 1 Select & authorize APIs’, select the scopes of APIs for each of the Google apps that you want to use in IBM App Connect.

      To enable IBM App Connect to perform all events and actions, we recommend you select from the following scope list for the Google applications that you want to use:

      • For Gmail app – (Under Gmail API v1)
        • https://www.googleapis.com/auth/gmail.modify
      • For Google Drive app – (Under Drive API v3)
        • https://www.googleapis.com/auth/drive
      • For Google Sheets app – (Under Google Sheets API v4)
        • https://www.googleapis.com/auth/drive
      • For Google Analytics app – (Under Google Analytics API v3)
        • https://www.googleapis.com/auth/analytics
        • https://www.googleapis.com/auth/analytics.edit
        • https://www.googleapis.com/auth/analytics.manage.users
        • https://www.googleapis.com/auth/analytics.manage.users.readonly
        • https://www.googleapis.com/auth/analytics.readonly

      To enable IBM App Connect to perform only a subset of events and actions, such as ‘New email’ event to trigger flows or ‘Create email’ action to send emails, you can select API scopes with smaller permissions; for example, for Gmail events and actions you can select the following mimimum API scopes:

      • ‘New email’ event and ‘Retrieve emails’ action:
        • https://www.googleapis.com/auth/gmail.readonly
      • ‘Create email’ action:
        • https://www.googleapis.com/auth/gmail.readonly
        • https://www.googleapis.com/auth/gmail.send
      • ‘Delete email’ action:
        • https://www.googleapis.com/auth/gmail.readonly
        • https://www.googleapis.com/auth/gmail.compose
      • ‘Update email labels’ action requires the scope https://www.googleapis.com/auth/gmail.modify, which enable IBM App Connect to perform all events and actions.

      (For the mimimum API scopes for Google Analytics, Google Drive, and Google Sheets, see the footnote on this page.)

      Google APIs Playground, selecting APIs
    4. Click Authorize APIs.
    5. On the ‘Choose an account’ window, select the Google account that you want to use in IBM App Connect.

      If this displays the message “This app isn’t verified”, it is because the app that you are configuring hasn’t been verified by Google. To continue:

      1. Click the Advanced link, to show the option to continue
      2. Click the ‘Go to <app project name>’ link (for the OAuth consent screen that you defined earlier)

      This shows dialog windows for each of the Google APIs that you selected earlier.

      For each dialog window, click Allow. (If you have concerns about any permissions shown, you can later go back and change the Google APIs that you selected.)

      After the last dialog window, the OAuth consent screen that you defined earlier is displayed (populated with the Google APIs that you have allowed.

      Google APIs Playground, OAuth consent window
    6. In the OAuth consent window, click Allow. (If you have concerns about any permissions shown, you can clear option checkboxes or can go back and change the Google APIs that you enabled.)
    7. Under ‘Step 2 Exchange authorization code for tokens’
      1. Select the check box ‘Auto-refresh the token before it expires’
      2. Click Exchange authorization code for tokens.

This generates and displays an access token and refresh token and the scope for the APIs that you selected; for example:

{
  "access_token": "ya29.Il-9B2KbXhweZamxIsHe3_rjblkc7Xh_...VyvmQlj-JgAuWsTeTw29Hl22ivqHUIdwuDVn9ixxaEGJoDkZBZAkaCss4w", 
  "scope": "https://www.googleapis.com/auth/analytics.manage.users.readonly https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/analytics.manage.users https://www.googleapis.com/auth/analytics.edit https://www.googleapis.com/auth/drive", 
  "token_type": "Bearer", 
  "expires_in": 3599, 
  "refresh_token": "1//04g2mKH5RhxUECgYIARAAGAQSNwF-L9IreLqEqk...x5eDp6nTKBRsxCRMVW6gU9ijJnY02uQRuw"
}

Copy the token values to somewhere secure and available for you to use in IBM App Connect when you connect to Google apps.

You now have the OAuth client ID, client secret, access token, and refresh token for Google applications

In IBM App Connect, when you create a new account for a Google app, enter your client ID, client secret, access token, and refresh token; for example:

In the App Connect / Catalog, connect to Gmail with OAUth 2.0 credentials (Click the image to view full size.)


  • Minimum scopes for Google Analytics, Google Drive, and Google Sheets operations

    Google Analytics API minimum scopes
    Operations Minimum scopes needed
    Retrieve account user links
    • https://www.googleapis.com/auth/analytics
    • https://www.googleapis.com/auth/analytics.manage.users
    Retrieve custom data sources https://www.googleapis.com/auth/analytics
    Retrieve custom data sources https://www.googleapis.com/auth/analytics.edit
    Retrieve custom data sources https://www.googleapis.com/auth/analytics.readonly
    Retrieve custom dimensions https://www.googleapis.com/auth/analytics
    Retrieve custom dimensions https://www.googleapis.com/auth/analytics.readonly
    Retrieve custom metrics https://www.googleapis.com/auth/analytics
    Retrieve custom metrics https://www.googleapis.com/auth/analytics.readonly
    Retrieve filters https://www.googleapis.com/auth/analytics.edit
    Retrieve filters https://www.googleapis.com/auth/analytics.readonly
    Retrieve goals https://www.googleapis.com/auth/analytics
    Retrieve MCF reports https://www.googleapis.com/auth/analytics
    Retrieve MCF reports https://www.googleapis.com/auth/analytics.readonly
    Retrieve profile filter links
    • https://www.googleapis.com/auth/analytics
    • https://www.googleapis.com/auth/analytics.edit
    • https://www.googleapis.com/auth/analytics.manage.users
    • https://www.googleapis.com/auth/analytics.manage.users.readonly
    • https://www.googleapis.com/auth/analytics.readonly
    Retrieve profile user links
    • https://www.googleapis.com/auth/analytics
    • https://www.googleapis.com/auth/analytics.manage.users
    Retrieve profiles
    • https://www.googleapis.com/auth/analytics
    • https://www.googleapis.com/auth/analytics.edit
    • https://www.googleapis.com/auth/analytics.readonly
    Retrieve web properties
    • https://www.googleapis.com/auth/analytics
    • https://www.googleapis.com/auth/analytics.edit
    • https://www.googleapis.com/auth/analytics.readonly
    Google Drive API minimum scopes
    Operations Minimum scopes needed
    Create comment https://www.googleapis.com/auth/drive.file
    Retrieve comments
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    Retrieve all comments
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Create file https://www.googleapis.com/auth/drive.file
    Retrieve all files
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Retrieve file metadata
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Download file
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    Create folder https://www.googleapis.com/auth/drive.file
    Retrieve folder
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    • https://www.googleapis.com/auth/drive.photos.readonly
    Retrieve folder items
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.appdata
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Retrieve all folders
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Generate page tokens
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Create permissions https://www.googleapis.com/auth/drive.file
    Retrieve permissions
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    Create reply https://www.googleapis.com/auth/drive.file
    Retrieve reply
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    Retrieve revision
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    Retrieve all revisions
    • https://www.googleapis.com/auth/drive.readonly
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.metadata
    • https://www.googleapis.com/auth/drive.metadata.readonly
    All above operations https://www.googleapis.com/auth/drive
    Google Sheets API minimum scopes
    Action operations Minimum scopes needed
    Create row https://www.googleapis.com/auth/drive.file
    Retrieve Row
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.readonly
    Create spreadsheet https://www.googleapis.com/auth/drive.file
    Retrieve spreadsheet
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.readonly
    Create worksheet https://www.googleapis.com/auth/drive.file
    All above operations https://www.googleapis.com/auth/drive
    Event operations Minimum Scopes Needed
    New complete row appended
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.readonly
    New spreadsheet
    • https://www.googleapis.com/auth/drive.file
    • https://www.googleapis.com/auth/drive.readonly
    All above operations https://www.googleapis.com/auth/drive

Join The Discussion

Your email address will not be published. Required fields are marked *