Google Workspace Configuration for OAuth 2.0

These instructions are provided as a convenience for customers using Google® Workspace® (formerly GSuite®) as an OAuth 2.0 provider. Trihedral has no relationship with Google or it's parent company and makes no claim that the information provided here is the best process to use. The following steps were found to work at the time of writing.

You must be signed in to Google's services with a Workspace® account to use this process. A basic GMail® account will not work.

  1. Open the Google Cloud Platform (GCP) console in a browser: https://console.cloud.google.com
  2. If this if your first project, you will be prompted for a name.
    Otherwise, open the droplist in the top banner next to "Google Cloud Platform" and n the dialog click "New Project".
  3. Give the project a suitable name and select "Create".
  4. Ensure that your new project is selected, as shown in the top bar of the page.
  5. From the menu select APIs & Services -> Library.
  6. Use the search field to search for "Apps Script".
  7. Select the Apps Script API result.
  8. Select ENABLE.
  9. From the menu select APIs & Services (looks like a menu header), then OAuth consent screen.
  10. Select "Internal" and click "CREATE".
  11. Enter an application name such as "VTScada" for the consent screen.
  12. Select the "Add scope" button.
  13. In the list, browse for and select the https://mail.google.com scope.
  14. Select the ADD button.
  15. The following configuration options may be set or ignored as you wish:
    Support email, Logo, and Changes to the OAuth grant limit.
    All the other fields do not apply.
  16. Select "Save".
  17. From the menu select "Credentials".
  18. Select "CREATE CREDENTIALS".
  19. Select "OAuth client ID".
  20. For Application type select "Web Application".
  21. Enter a name such as "VTScada" for your OAuth client.
  22. Under Authorized redirect URIs select "ADD URI".
  23. Add URI's as appropriate.
    These will be the FQDNClosed Fully Qualified Domain Name's of the VTScada OAuth servers, along with the VTScada OAuth path which is "/vtscada/oauth/return". Do not include the realm name for your application. Do not include the port number unless it is non-standard.
    e.g. https://myscada.example.com/vtscada/oauth/return
  24. Make a copy of each URI you create. You will need these later when configuring OAuth within VTScada.
  25. Select CREATE.
  26. Copy the Client ID and Client Secret from the next dialog.
    The secret must be treated as securely as a password.
  27. You should now have the following information, to be used when configuring OAuth in VTScada:
Name in Google Name in VTScada Example value
-- Authorization Endpoint URL https://accounts.google.com/o/oauth2/v2/auth
-- Token Endpoint URL https://oauth2.googleapis.com/token
-- Revocation Endpoint URL https://accounts.google.com/o/oauth2/revoke
Client ID Client ID 853894256151-0ahtms1s5hrsqv41ebvrlon09pha3av1.apps.googleusercontent.com
Client secret Value Client Secret Slb3-e3J2c-UwCzVdBv8-Hadun_374
Scopes for Google APIs Requested Scopes https://mail.google.com
Authorised redirect URIs Redirect URIs https://myscada.example.com/vtscada/oauth/return

In VTScada:

  1. Enable the OAuth 2.0 option in Security -> Administrative options -> Advanced.
  2. Ensure the appropriate server list has been configured.
    (Referring here to a Client / Server Configuration list, not a VTScada Thin Client Server server list.)
    An OAuth-specific list may be configured if required. For resilience, two OAuth servers are recommended.
  3. Open the OAuth 2.0 settings dialog.
    Available from either the drop-down security menu in the screen or the Security page of the Application Configuration dialog.
  4. Create a new Provider by clicking the "+" button under the list of providers.
    This enables the data entry fields. Start with the Provider Name, not the list of OAuth2 Providers.
  5. Set the Provider name to something appropriate, such as "Google".
  6. Set the Authorization Endpoint URL to: https://accounts.google.com/o/oauth2/v2/auth
  7. Set the Token Endpoint URL to: https://oauth2.googleapis.com/token
  8. Set the Revocation Endpoint URL to: https://accounts.google.com/o/oauth2/revoke
  9. Set the Client ID and Client secret to the values recorded in the early set of steps.
  10. Set the Refresh Token Lifetime to 15552000
    This field is measured in seconds and matches the 6-month token lifetime that is the default for Google.
  11. Using the Scopes editor (the Pen icon next to the Provider Scopes field), add the following scope: https://mail.google.com/
  12. Using the Redirect URIs editor set the OAuth Redirect URIs to the Authorized redirect URIs recorded above.
  13. Create a new Grant by clicking the "+" under the grants list.
  14. Set the Grant name to something appropriate such as "GMail".
  15. Set the Grant bearer to the GMail account name of the user that will be running the consent operation.
    This must be one of your Workspace accounts. You are strongly advised to create an account that will be used only by VTScada. Do not use your personal account.
  16. Using the Grant Scopes editor select the https://mail.google.com/ scope.
  17. Select the Apply button.
  18. Select the Consent button to grant authority for VTScada to access the designated email account.