Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of OAuth application integration in Google Cloud.
You can use OAuth application integration to integrate your OAuth-based
applications with Google Cloud. Federated users can use their identity provider
(IdP) to sign in to the applications and access their Google Cloud
products and data. OAuth application integration is a feature of
Workforce Identity Federation.
To use OAuth application integration, you must first create a workforce
identity pool and provider. You can then register the OAuth-based application
using OAuth 2.0. Applications must be registered in the organization where your
workforce identity pool and provider are configured.
OAuth application registration
To configure an application to access Google Cloud, you register the
application with Google Cloud by creating OAuth client credentials.
The credential contains a client secret. The application uses the access token
to access the Google Cloud products and data.
OAuth client and credential security risks and mitigations
You must secure access to the IAM APIs and the client ID and
secret. If the client ID and secret is leaked, security issues can result. These
issues include the following:
Impersonation: A malicious user with your client ID and secret can create an
application that masquerades as your legitimate application. They can then
do the following:
Gain unauthorized access to the user data and permissions that your
application is entitled to.
Perform actions on the user's behalf, such as posting content, making API
calls, or modifying user settings.
Perform phishing attacks, wherein the malicious user creates a fake login
page that resembles the OAuth provider. The page can then trick users into
entering their credentials, which gives the credentials to the malicious
user who can then access their accounts.
Reputational damage: A security breach can harm the reputation of your
application and organization, causing users to lose trust.
In the event of a breach, to mitigate these and other risks, assess the nature
of the breach and do the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eOAuth application integration enables federated users to sign in to applications and access Google Cloud resources using their existing identity provider.\u003c/p\u003e\n"],["\u003cp\u003eTo utilize OAuth application integration, a workforce identity pool and provider must be created, and applications must be registered using OAuth 2.0 within the configured organization.\u003c/p\u003e\n"],["\u003cp\u003eOAuth application integration functions exclusively with Identity-Aware Proxy for secure access.\u003c/p\u003e\n"],["\u003cp\u003eSecurity is crucial, as compromised client IDs and secrets can lead to impersonation, unauthorized data access, and reputational damage.\u003c/p\u003e\n"],["\u003cp\u003eIn case of a security breach, client secrets should be rotated immediately by creating a new credential, disabling the old one, and then deleting it.\u003c/p\u003e\n"]]],[],null,["# OAuth application integration overview\n\nThis page provides an overview of OAuth application integration in Google Cloud.\n\nYou can use OAuth application integration to integrate your OAuth-based\napplications with Google Cloud. Federated users can use their identity provider\n(IdP) to sign in to the applications and access their Google Cloud\nproducts and data. OAuth application integration is a feature of\nWorkforce Identity Federation.\n\nTo use OAuth application integration, you must first create a workforce\nidentity pool and provider. You can then register the OAuth-based application\nusing OAuth 2.0. Applications must be registered in the organization where your\nworkforce identity pool and provider are configured.\n\n\u003cbr /\u003e\n\n| **Important:** OAuth application integration works only with Identity-Aware Proxy.\n\n\u003cbr /\u003e\n\nOAuth application registration\n------------------------------\n\nTo configure an application to access Google Cloud, you [register](/iam/docs/workforce-manage-oauth-app#create) the\napplication with Google Cloud by creating [OAuth client credentials](https://tools.ietf.org/html/rfc6749#section-4.4).\nThe credential contains a client secret. The application uses the access token\nto access the Google Cloud products and data.\n\nOAuth client and credential security risks and mitigations\n----------------------------------------------------------\n\nYou must secure access to the IAM APIs and the client ID and\nsecret. If the client ID and secret is leaked, security issues can result. These\nissues include the following:\n\n- Impersonation: A malicious user with your client ID and secret can create an\n application that masquerades as your legitimate application. They can then\n do the following:\n\n - Gain unauthorized access to the user data and permissions that your application is entitled to.\n - Perform actions on the user's behalf, such as posting content, making API calls, or modifying user settings.\n - Perform phishing attacks, wherein the malicious user creates a fake login page that resembles the OAuth provider. The page can then trick users into entering their credentials, which gives the credentials to the malicious user who can then access their accounts.\n- Reputational damage: A security breach can harm the reputation of your\n application and organization, causing users to lose trust.\n\nIn the event of a breach, to mitigate these and other risks, assess the nature\nof the breach and do the following:\n\n- Ensure that only trusted users have IAM access to the [OAuth\n client and credential API](/iam/docs/workforce-manage-oauth-app).\n\n- Rotate the client secret immediately, by rotating the client credential, as\n follows:\n\n 1. [Create a new client credential](/iam/docs/workforce-manage-oauth-app#create-credential) for the OAuth client.\n 2. [Disable the old client credential](/iam/docs/workforce-manage-oauth-app#disable-credential).\n 3. [Delete the old client credential](/iam/docs/workforce-manage-oauth-app#delete-credential).\n\nWhat's next\n===========\n\n- Learn how to [Manage OAuth applications](/iam/docs/workforce-manage-oauth-app)."]]
