- Create or Select a Google Cloud Project
- Access the Google Cloud Console and either create a new project (for example, “Google Drive Repo”) or select an existing project that fits your requirements.
Note: All OAuth credentials, API settings, and the OAuth consent screen are managed at the project level.
- Access the Google Cloud Console and either create a new project (for example, “Google Drive Repo”) or select an existing project that fits your requirements.
- Enable the Google Drive API
- From the left navigation menu, go to APIs & Services > Library. Search for “Google Drive API” and enable it for your chosen project.
- From the left navigation menu, go to APIs & Services > Library. Search for “Google Drive API” and enable it for your chosen project.
- Configure the OAuth Consent Screen
- Navigate to APIs & Services > OAuth consent screen.
- Select the 'Get started' button
- Complete the required application information, including App Name and user support email. Add only the minimum Drive API scopes necessary, such as:
- https://www.googleapis.com/auth/drive.file: Grants permission to read/write only files created or opened with your app (recommended for least privilege).
Only use broader full-drive scopes if absolutely necessary.
- https://www.googleapis.com/auth/drive.file: Grants permission to read/write only files created or opened with your app (recommended for least privilege).
- Select an Audience Type
- Internal: Accessible only to users in your Google Workspace domain (requires a Workspace organization).
- External: Available to anyone with a Google Account (commonly used for public-facing applications).
- Enter emails for those that should receive updates regarding the project
- If you intend to use Testing mode, add test user email addresses. Note that Testing mode limits you to 100 users, and tokens expire after 7 days. Save your configuration.
Important: Some Drive scopes are considered sensitive and may require your app to complete Google’s verification process before going live.
- If you intend to use Testing mode, add test user email addresses. Note that Testing mode limits you to 100 users, and tokens expire after 7 days. Save your configuration.
- Navigate to APIs & Services > OAuth consent screen.
- Create OAuth Client Credentials (Web Application)
-
- Go to APIs & Services > Credentials.
- Click on Create Credentials > OAuth client ID and select ‘Web application’ as the type.
- Add the Authorized JavaScript origins for each relevant hostname. For example:
- https://<productionBaseURL>
- Add the required authorized redirect URIs. For example:
- https://<productionBaseURL>/ClientFileRepository/OAuthCallback
- Once created, securely copy and store the Client ID and Client Secret. Treat the Client Secret as a password. You can generate new secrets or rotate them as needed directly from the OAuth client page.
- Go to APIs & Services > Credentials.
- Switch From Testing to Production (Recommended)
- On the OAuth consent screen, select Audience and update the Publishing status to “In production” once verification is complete (if required). This removes the 100-user restriction and the 7-day token limitation. Remaining in Testing mode will maintain those restrictions.
- On the OAuth consent screen, select Audience and update the Publishing status to “In production” once verification is complete (if required). This removes the 100-user restriction and the 7-day token limitation. Remaining in Testing mode will maintain those restrictions.
- Configure Your Repository in the CRT Platform
Common Issues & How to Avoid Them
- Skipping the consent screen configuration prevents creation of working OAuth clients for external users.
- Requesting broader Drive scopes than necessary increases verification complexity.
- Failing to move to Production restricts you to 100 test users and short-lived tokens.
- Omitting redirect URIs for all environments causes authentication failures.
- Consult Google’s official resources for more guidance on scope selection, OAuth best practices, and securing application credentials.