Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini menjelaskan cara membuat klien OAuth secara terprogram untuk digunakan dengan
IAP, sehingga Anda dapat menyiapkan IAP
secara menyeluruh secara terprogram untuk aplikasi internal.
Batasan umum
Ada beberapa batasan untuk klien OAuth yang dibuat secara terprogram menggunakan API ini:
Klien OAuth yang dibuat oleh API hanya dapat diubah dengan menggunakan API. Anda
tidak dapat mengubah klien OAuth melalui konsol Google Cloud jika dibuat
menggunakan API.
Klien OAuth yang dibuat oleh API dikunci hanya untuk penggunaan IAP, dan
karenanya API tidak mengizinkan pembaruan apa pun pada URI pengalihan atau atribut
lainnya.
API tidak beroperasi pada klien OAuth yang dibuat menggunakan
konsol Google Cloud .
Hanya 500 klien OAuth yang diizinkan per project saat menggunakan API.
Merek layar izin OAuth yang dibuat API memiliki batasan tertentu. Lihat
bagian di bawah untuk mengetahui informasi selengkapnya.
Memahami brand dan status branding
Layar izin OAuth,
yang berisi informasi branding untuk pengguna, dikenal sebagai brand. Merek
dapat dibatasi untuk pengguna internal atau pengguna publik. Merek internal membuat
alur OAuth dapat diakses oleh seseorang yang termasuk dalam organisasi Google Workspace
yang sama dengan project. Merek publik menyediakan alur OAuth bagi
siapa saja di internet.
Merek dapat dibuat secara manual atau terprogram melalui API. Merek yang dibuat API
otomatis dikonfigurasi dengan setelan yang berbeda:
Setelan ini ditetapkan ke internal dan harus ditetapkan secara manual ke publik jika
diinginkan
Video tersebut ditetapkan ke status "belum ditinjau" dan peninjauan merek harus dipicu
Untuk menetapkan merek internal ke publik secara manual:
Pilih project yang diinginkan dari menu drop-down.
Di halaman OAuth consent screen, perhatikan bahwa User Type
otomatis ditetapkan ke Internal. Untuk menyetelnya ke Publik, klik
Edit Aplikasi. Opsi konfigurasi lainnya akan tersedia.
Di bagian Jenis aplikasi, klik Publik.
Untuk memicu peninjauan merek untuk merek yang dibuat API yang belum ditinjau:
Pilih project yang diinginkan dari menu drop-down.
Di halaman OAuth consent screen, masukkan informasi yang diperlukan, lalu
klik Submit for verification.
Proses verifikasi mungkin memerlukan waktu hingga beberapa minggu, dan Anda akan menerima
informasi progresnya melalui email.
Pelajari lebih lanjut
verifikasi. Saat proses verifikasi sedang berlangsung, Anda tetap dapat menggunakan aplikasi dalam organisasi Google Workspace.
Pelajari lebih lanjut perilaku
aplikasi Anda sebelum diverifikasi.
Sebelum memulai
Sebelum Anda dapat membuat klien, pastikan terlebih dahulu bahwa pemanggil telah diberi
izin berikut:
clientauthconfig.brands.list
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.clients.create
clientauthconfig.clients.listWithSecrets (Hanya diperlukan untuk mencantumkan klien
OAuth dengan secret.)
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.delete
clientauthconfig.clients.update
Izin ini disertakan dalam peran dasar Editor (roles/editor) dan Pemilik (roles/owner), tetapi sebaiknya Anda membuat peran khusus yang berisi izin ini dan memberikannya kepada pemanggil.
Menyiapkan OAuth untuk IAP
Langkah-langkah berikut menjelaskan cara mengonfigurasi layar izin dan membuat serta
klien oauth untuk IAP.
Mengonfigurasi layar izin
Periksa apakah Anda sudah memiliki merek yang ada dengan menggunakan perintah list. Anda hanya boleh memiliki satu merek per project.
gcloudiapoauth-brandslist
Berikut adalah contoh respons gcloud, jika merek tersebut ada:
supportEmail: Email dukungan yang ditampilkan di layar izin OAuth.
Alamat email ini dapat berupa alamat pengguna atau alias Google Grup.
Meskipun akun layanan juga memiliki alamat email, alamat tersebut bukan alamat email
yang valid, dan tidak dapat digunakan saat membuat merek. Namun,
akun layanan dapat menjadi pemilik Grup Google. Buat
Grup Google baru atau konfigurasikan grup yang ada dan tetapkan akun layanan
yang diinginkan sebagai pemilik grup.
applicationTitle: Nama aplikasi yang ditampilkan di layar izin
OAuth.
Gunakan client ID (client_id dalam contoh di atas) dan secret untuk mengaktifkan
IAP. Lihat topik berikut untuk mengetahui informasi selengkapnya tentang cara mengaktifkan IAP menggunakan kredensial yang baru saja Anda buat:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eThis guide outlines how to programmatically create OAuth clients for Identity-Aware Proxy (IAP) to enable end-to-end setup for internal applications.\u003c/p\u003e\n"],["\u003cp\u003eOAuth clients created via the API are specifically for IAP usage, cannot be modified through the Google Cloud console, and have limited attributes, such as redirect URIs that can not be updated.\u003c/p\u003e\n"],["\u003cp\u003eAPI-created brands for OAuth consent screens are initially set to internal and "unreviewed," requiring manual adjustment to public and submission for a brand review, which will halt the creation of new clients when changed.\u003c/p\u003e\n"],["\u003cp\u003eBefore creating clients, ensure the caller has the required permissions like \u003ccode\u003eclientauthconfig.brands.list\u003c/code\u003e and \u003ccode\u003eclientauthconfig.clients.create\u003c/code\u003e, and that you have a Google Group setup with a valid service account.\u003c/p\u003e\n"],["\u003cp\u003eThe API allows only 500 OAuth clients to be created per project.\u003c/p\u003e\n"]]],[],null,["# Programmatically creating OAuth clients for IAP\n\nThis page describes how to programmatically create OAuth clients for use with\nIAP, enabling you to set up IAP\nprogrammatically end-to-end for internal applications.\n\nKnown limitations\n-----------------\n\nThere are a few limitations for OAuth clients created programmatically\nusing this API:\n\n- OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client via the Google Cloud console if it was created by using the API.\n- The OAuth clients created by the API are locked for IAP usage only, and therefore the API does not allow any updates to the redirect URI or other attributes.\n- The API does not operate on the OAuth clients that were created using the Google Cloud console.\n- Only 500 OAuth clients are allowed per project when using the API.\n- API-created OAuth consent screen brands have specific limitations. See the [section below](#branding) for more information.\n\nUnderstanding brands and branding state\n---------------------------------------\n\nThe [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent),\nwhich contains branding information for users, is known as a **brand**. Brands\ncan be limited to internal users or public users. An internal brand makes the\nOAuth flow accessible to someone who belongs to the same Google Workspace\norganization as the project. A public brand makes the OAuth flow available to\nanyone on the internet.\n\nBrands can be created manually or programmatically via an API. API-created\nbrands are automatically configured with different settings:\n\n- They're set to internal and must be manually set to public if desired\n- They're set to an \"unreviewed\" state and a brand review must be triggered\n\nTo manually set an internal brand to public:\n\n1. Open the [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent).\n2. Select your desired project from the drop-down menu.\n3. On the **OAuth consent screen** page, note that the **User Type** is automatically set to **Internal** . To set it to **Public** , click **Edit App**. More configuration options become available.\n4. Under **Application type** , click **Public**.\n\n| **Note:** When an API-created internal brand is set to public, the [`identityAwareProxyClients.create()`](/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients/create) API will stop working, as it requires the brand to be set to internal. Therefore, you cannot create new OAuth clients via the API after an internal brand is made public.\n\nTo trigger a brand review for an unreviewed API-created brand:\n\n1. Open the [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent).\n2. Select your desired project from the drop-down menu.\n3. On the **OAuth consent screen** page, enter any required information, and then click **Submit for verification**.\n\nThe verification process may take up to several weeks, and you will receive\nemail updates as it progresses.\n[Learn more](https://support.google.com/cloud/answer/9110914?hl=en) about\nverification. While the verification process is ongoing, you can still use the\napplication within your Google Workspace organization.\n[Learn more](https://support.google.com/cloud/answer/7454865?hl=en_US) about how\nyour application will behave before it's verified.\n\nBefore you begin\n----------------\n\nBefore you can create a client, first ensure that the caller has been granted\nthe following permissions:\n\n- `clientauthconfig.brands.list`\n- `clientauthconfig.brands.create`\n- `clientauthconfig.brands.get`\n- `clientauthconfig.clients.create`\n- `clientauthconfig.clients.listWithSecrets` (Only required for listing OAuth clients with secret.)\n- `clientauthconfig.clients.getWithSecret`\n- `clientauthconfig.clients.delete`\n- `clientauthconfig.clients.update`\n\nThese permissions are included in the Editor (`roles/editor`) and Owner\n(`roles/owner`) [basic roles](/iam/docs/understanding-roles#basic),\nhowever we recommend that you create a\n[custom role](/iam/docs/understanding-roles#custom_roles) that contains these\npermissions and grant it to the caller instead.\n\nSet up OAuth for IAP\n--------------------\n\nThe following steps describe how to configure the consent screen and create and\noauth client for IAP.\n\n### Configuring consent screen\n\n1. Check if you already have an existing brand by using the\n [list](/sdk/gcloud/reference/iap/oauth-brands/list) command. You may\n only have one brand per project.\n\n ```bash\n gcloud iap oauth-brands list\n ```\n\n The following is an example gcloud response, if the brand exists: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]\n applicationTitle: [APPLICATION_TITLE]\n supportEmail: [SUPPORT_EMAIL]\n orgInternalOnly: true\n\n | **Note:** If a brand already exists for a project and has been configured for external users (`orgInternalOnly: false`), but you want to restrict it to internal users, you must make that change manually from the [OAuth consent screen](https://console.cloud.google.com/auth/audience) in order to create OAuth clients with this API.\n2. If no brand exists, use the\n [create](/sdk/gcloud/reference/iap/oauth-brands/create) command:\n\n ```bash\n gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL\n ```\n\n\n The above fields are required when calling this API:\n - `supportEmail`: The support email displayed on the OAuth consent screen.\n This email address can either be a user's address or a Google Groups alias.\n While service accounts also have an email address, they are not actual\n valid email addresses, and cannot be used when creating a brand. However,\n a service account can be the owner of a Google Group. Either create a\n new Google Group or configure an existing group and set the desired service\n account as an owner of the group.\n\n | **Note:** The user issuing the request must be an owner of the specified support email address.\n - `applicationTitle`: The application name displayed on OAuth consent\n screen.\n\n The response contains the following fields: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]\n applicationTitle: [APPLICATION_TITLE]\n supportEmail: [SUPPORT_EMAIL]\n orgInternalOnly: true\n\n### Creating an IAP OAuth Client\n\n1. Use the create command to\n [create](/sdk/gcloud/reference/iap/oauth-clients/create) a client. Use\n the brand `name` from previous step.\n\n ```bash\n gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME\n ```\n\n The response contains the following fields: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID]\n secret: [CLIENT_SECRET]\n displayName: [NAME]\n\nUse the client ID (`client_id` in the above example) and `secret` to enable\nIAP. See the following topics for more information about\nenabling IAP using the credentials you've just created:\n\n- [IAP for Kubernetes Engine](/iap/docs/enabling-kubernetes-howto)\n- [IAP for App Engine](/iap/docs/app-engine-quickstart)\n- [IAP for Compute Engine](/iap/docs/enabling-compute-howto)\n- [IAP for Cloud Run](/iap/docs/enabling-cloud-run)"]]