Configure OAuth Authentication (G Suite)

To retrieve chat messages from multiple users in a G Suite domain, create a service account that the connector can use to access the information. You must enable G Suite Domain-wide delegation and grant the relevant permissions.

To create a G Suite service account and grant relevant permissions

  1. Go to https://console.developers.google.com/ and log in.
  2. Create a new project, and make sure the project is selected.
  3. Click Enabled APIs & services and enable the following:

  4. Click Credentials and create a new Service Account.
  5. Give the new service account a name. Then select the following roles:

    • Project > Viewer.
  6. Select Key type JSON, and then click Create.

    Save the JSON file provided by Google for use later.

  7. Find the service account you created by clicking (Menu button) > IAM & Admin > Service accounts.
  8. In the table, click Manage Details for the service account you created.
  9. Make a note of the Client ID for the service account, to be used later.
  10. Go to https://admin.google.com/ and log in using an administrator account.
  11. In the Admin Console menu, click Security > Access and data control > API controls.
  12. Select Manage Domain Wide Delegation.
  13. Select Add new to add an entry using the client ID you obtained above.
  14. Add the following OAuth scopes:

    https://www.googleapis.com/auth/admin.directory.user.readonly Required
    https://www.googleapis.com/auth/chat.spaces.readonly Required when ProcessChats is TRUE.
    https://www.googleapis.com/auth/chat.messages.readonly Required when ProcessChats is TRUE.
    https://www.googleapis.com/auth/chat.memberships.readonly Required for mapped security when ProcessChats is TRUE.
    https://www.googleapis.com/auth/drive.readonly Required when IngestDriveAttachments is TRUE or when ProcessConferences is TRUE.
    https://www.googleapis.com/auth/meetings.space.readonly Required when ProcessConferences is TRUE.
  15. Click Authorize.

You can now run the OAuth configuration tool that is provided with the connector.

To run the OAuth configuration tool

  1. Open the folder where you installed the connector.
  2. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
  3. In the [Default] section, set any SSL or proxy settings that are required to access the repository:

    SSLMethod The version of SSL/TLS to use.
    ProxyHost The host name or IP address of the proxy server to use.
    ProxyPort The port of the proxy server to use.

    For example:

    SSLMethod=NEGOTIATE
    ProxyHost=10.0.0.1
    ProxyPort=8080
  4. In the [GoogleServiceAccount] section, set the following parameters:

    CustomJson

    Replace the placeholders <client_email> and <private_key> with the correct values, from the JSON file that you downloaded earlier.

    The value for the private key property should include the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- delimiters, and should include any newline (\n) characters. For example:

    CustomJson={"GoogleServiceAccount":"myaccount@myproject.iam.gserviceaccount.com",
    "GoogleServiceAccountPrivateKey":"-----BEGIN PRIVATE KEY-----\nBASE64\n-----END PRIVATE KEY-----\n"}
  5. Open a command-line window and run the following command:

    oauth_tool.exe oauth_tool.cfg GoogleServiceAccount

    The OAuth configuration tool creates the files oauth.cfg and oauth2_sites.bin. When you configure the connector, import the parameters from oauth.cfg into your task configuration. For more information about configuring a fetch task, see Retrieve Information from G Suite Users.