Create an OAuth client and credentials for a Looker (Google Cloud core) instance

This documentation page explains how to set up your OAuth client and manually associate OAuth credentials with your instance during instance creation.

When to create OAuth credentials

The following types of Looker (Google Cloud core) instances require that you create OAuth credentials and associate them with the instance during instance creation, even if you want to use a different authentication method for authenticating your users into the instance:

Instances that use private connections
Instances that use hybrid connection configurations

In addition, if you want to add a custom domain to a Looker (Google Cloud core) instance that uses public secure connections, OAuth credentials must be created and then manually associated with the instance while setting up the custom domain.

Looker (Google Cloud core) instances that use only public secure connections don't require that you create OAuth credentials or associate them with the instance. For that type of instance, Looker (Google Cloud core) assigns a Looker-managed OAuth client and secret for the instance.

Required roles

To use the Google Cloud console to create and edit OAuth credentials, you need the following permissions. (To hide the list of permissions, collapse the Required permissions section.)

Required permissions

clientauthconfig.*

clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update

oauthconfig.*

oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.testusers.update
oauthconfig.verification.get
oauthconfig.verification.submit
oauthconfig.verification.update

You might also be able to get the required permissions through custom roles or other predefined roles. For more information about granting roles, see the Manage access to projects, folders, and organizations page in the Identity and Access Management (IAM) documentation.

Before you create a Looker (Google Cloud core) instance

Before you create a Looker (Google Cloud core) instance, complete the steps that are described in these sections:

Generate the OAuth client ID and client secret
Configure the user consent screen, scopes, and test users

Generate the OAuth client ID and client secret

First, create an OAuth client and generate the client ID and client secret for that client. These values are required during creation of the Looker (Google Cloud core) instance.

You can set up the OAuth client in any Google Cloud project you want. It doesn't need to be the same project as the Looker (Google Cloud core) instance. However, the Looker (Google Cloud core) API must be enabled in this project.

To create the client and its credentials, follow these steps:

Navigate to the project that you want to create the OAuth client in.
Navigate to APIs & Services > Credentials.
From the Credentials page, click Create Credentials.
From the drop-down menu, select OAuth client ID.
In the Application type drop-down, select Web application.
In the Name field, enter a name for your OAuth client.
At this point, you don't need to add URIs in the Authorized JavaScript origins or Authorized redirect URIs sections.
Click Create.

After you click Create, an OAuth client created window appears. This window displays the client ID and client secret created for your OAuth client. These values will be required when you create the Looker (Google Cloud core) instance.

Optionally, click Download JSON to download the credential information in a JSON file. To close the window, click OK.

Configure the user consent screen, scopes, and test users

Next, you may want to configure the consent screen. The consent screen is shown to a user of the Looker (Google Cloud core) instance at their first login and at any point when their authorization expires or is revoked by the user.

Follow the instructions on the Configure the OAuth consent screen and choose scopes documentation page. While configuring your screen, complete the following settings as described:

In the Branding section, under Authorized domains, the domain must match the domain of the Looker (Google Cloud core) instance that uses the OAuth credentials. If you are going to create a custom domain for your Looker (Google Cloud core) instance and know the domain that you will assign to it, you can enter it now. Otherwise, you can leave this field empty; it will be automatically populated when you add the authorized redirect URI after the Looker (Google Cloud core) instance is created.
In the Audience section, under User Type, select one of the following:
- Internal: This setting is the default. Only users within your organization can access the instance once they are added through IAM.
- Make external: Users with any kind of Google Account can access the instance once they are added through IAM.
Note: If you want a user such as Google Support to access your instance using OAuth and IAM, User Type must be set to External, and the Support user must be added through IAM. You can edit the User Type setting at any point.

During Looker (Google Cloud core) instance creation

When you are creating the Looker (Google Cloud core) instance, add the OAuth client ID and client secret in the OAuth Application Credentials section. You cannot create an instance without OAuth credentials. Find the OAuth client ID and client secret by navigating to the OAuth client in the Google Cloud console.

After you create a Looker (Google Cloud core) instance

Complete the following instructions to finish configuration. When you add an authorized redirect URI, it will be added to your OAuth consent screen as an authorized domain.

Add the authorized redirect URI to the OAuth client

If you haven't done so already, follow these steps to enter the URL of the newly created Looker (Google Cloud core) instance into the OAuth client.

After you have created a Looker (Google Cloud core) instance, find and copy the URL for the instance. You can find the URL on the Instances page.

Note: If you are setting up a custom domain for your instance, be sure to complete that setup before copying the URL. Once you add the custom domain to the OAuth client, users will no longer be able to log in to the autogenerated instance URL that was granted when the instance was created, even if that domain is also in the OAuth client.
In the Google Cloud console, navigate to APIs & Services > Credentials.
Under the OAuth 2.0 Client IDs heading, click the name of the client you created.
In the Authorized redirect URIs section, click Add URI.
Paste the URL of the Looker (Google Cloud core) instance into the URIs field. Add /oauth2callback to the end of the URL. For example: https://uuid.looker.app/oauth2callback.

If you are going to set up OAuth authorization for BigQuery, you can also add a second redirect URI that points to the URL of the Looker (Google Cloud core) instance followed by /external_oauth/redirect added to the end of the URL. For example: https://uuid.looker.app/external_oauth/redirect.
Click Save.

It may take from five minutes to a few hours for the update to take effect.

Manage users

Once the OAuth client is configured and the Looker (Google Cloud core) instance is created, you can sign in to the instance using OAuth. Then, you can choose the authentication method for your instance.

If using OAuth as your primary authentication method, complete the steps as described on the Use Google OAuth for Looker (Google Cloud core) user authentication documentation page to complete OAuth setup for user authentication.

Once your authentication method is set up, you can add or remove users through your identity provider and manage them within Looker.

View the type of OAuth credentials for your instance

OAuth credentials aren't listed directly on the instance configuration page of the Google Cloud console. Click Edit on the instance configuration page to see the OAuth application credentials section.

If the OAuth credentials are set to Looker managed, Looker (Google Cloud core) assigns a Looker-managed OAuth credentials for your instance during instance creation and the client ID and client secret aren't shown.

If the OAuth credentials are set to Manual, custom OAuth credentials were added to your instance either during or after instance creation. The client ID and client secret aren't shown; instead, the section displays **** placeholders.

Edit the OAuth client for a Looker (Google Cloud core) instance

If you want to, you can add, edit, or change OAuth credentials for your Looker (Google Cloud core) instance by following these steps:

Set up the new client or credentials.
In the Google Cloud console, from the Instances page, click on an instance's name to open the DETAILS page.
From the DETAILS page, click Edit.
On the Edit Looker (Google Cloud core) instance page, navigate to the OAuth application credentials section and select Manual, if it is not already selected.
Enter the new values in the OAuth Client ID and OAuth Client Secret fields.
Click Save.

If your OAuth application credentials are set to Looker managed, you can't add or edit credentials. Switch to the Manual setting for credentials to edit or add them.