Skip to content

Google authentication

Google OAuth 2.0 is an open standard for access delegation. It lets users log in to Team Edition using their Google account and enables single sign-on (SSO).

Info

For details, see the Google Identity documentation.

Prerequisites

Make sure you have:

  • A Google account with access to Google Cloud Console.
  • An OAuth 2.0 application configured in Google Cloud.

Configuration steps

Enable Google authentication

  1. As an administrator, go to Settings -> Server Configuration
  2. Find and activate the Google option in the Configuration section.

Tip

For more information on Server Configuration, see Server configuration administration.

Note

To use cloud-hosted databases or Google Cloud Storage, also enable the Cloud (Google) and Cloud Storage checkboxes.

Add an identity provider

  1. As an administrator, navigate to Settings -> Identity Providers
  2. Click + Add
  3. Fill in the following fields:
Field Description
Provider type Select Google from the dropdown menu.
ID Enter a unique identifier for this configuration.
Configuration name Enter a descriptive name for this configuration.
Description (Optional) Provide a brief description of this identity provider.
Icon URL (Optional) Enter the URL of an icon to represent this provider in the UI.
Disabled (Optional) Leave unchecked to enable this identity provider.
Client ID Enter the client ID from your Google OAuth 2.0 application.
Client secret Enter the client secret from your Google OAuth 2.0 application.
Add custom scopes (Optional) Enable to specify additional OAuth scopes. Required for Google Cloud integration.
Read user info (Optional) Retrieves user profile data using the userinfo endpoint.
Custom scopes (Optional) Additional OAuth scopes. Use ; as a delimiter. Required for Google Cloud integration. See supported scopes
Name of an AWS role claim (Optional) The name of the AWS role claim used for AWS authorization.

  1. Copy the redirect link:

    1. Copy the Redirect link.
    2. Add it to your Google OAuth 2.0 application. For instructions, see Set a redirect URI.

Login

  1. Once configuration is complete, go to the login screen.
  2. Select the Federated authentication method labeled with the Configuration name you specified.
  3. Log in with your Google account to verify the integration works.

Tip

Once configured, users can access GCP databases and Google Cloud Storage without additional credentials. For more details, see Pass-through authentication.

Configure Google Cloud scopes

To enable Google Cloud integration:

  1. Enable the Add custom scopes checkbox.

  2. Add the following scopes, separated by ;:

       https://www.googleapis.com/auth/spanner.admin;https://www.googleapis.com/auth/bigquery;https://www.googleapis.com/auth/cloud-platform;https://www.googleapis.com/auth/devstorage.full_control
Scope Description
spanner.admin Manage Spanner databases.
bigquery View and manage data in Google BigQuery.
cloud-platform Access GCP and read the list of available databases.
devstorage.full_control Manage BigQuery data in Google Cloud Storage. 
> **Note**: `cloud-platform` and `devstorage.full_control` are **restricted scopes** in Google's OAuth sensitivity
> model. Using them may require your Google Cloud project to go through Google's verification process before they work
> in production. For details, see [Google's OAuth API verification FAQ](https://support.google.com/cloud/answer/9110914).
  1. Save the configuration and re-login to apply the new scopes.

  2. Verify the integration:

    • Open Cloud Explorer in the connection creation menu - you should see your GCP project and its databases.
    • Open Cloud Storage - you should see your Cloud Storage buckets.