Configuring Google Workspace OAuth and Service Account
Configuring Google Workspace
In this tutorial, we will guide you through the process of setting up Solar Archive email archive systems with Google Workspace. We'll cover two main features: Single Sign-On (SSO) with Two-Factor Authentication (2FA) support using OAuth and IMAP setup for Mailbox Reader/Folder Rep/Mail Restore, utilizing a Google Service Account to access user mailboxes.
Step 1: Creating a Google API Project
Go to the Google API Console by clicking this link: Google API Console.
Create a new project or add an existing one and associate it with your Workspace domain. This project will be used to manage the API settings and credentials for Solar Archive.
Once the project is created or selected, all subsequent configurations will be done within this project.
Step 2: Configure Consent Screen for OAuth
In the Google API Console, navigate to the "Credentials" section.
Click on "OAuth consent screen" from the left sidebar to configure the Consent Screen settings.
Create a new Consent Screen and specify the necessary information, such as the App name, User support email, User Type (Use Internal) and Developer contact information. (It is just details to display on a consent screen - so enter any details that seem reasonable. It is non-binding, non-critical, display only information to displays when an end user tries to use the 'app'.)
Customize the Consent Screen as needed to provide a clear and user-friendly experience for your users during the OAuth login process.
Save the changes to the Consent Screen.
Step 3: Set up Google OAuth / Solar Archive SSO
In the "Credentials" section of the Google API Console, click on "Create Credentials" and select "OAuth client ID".
Choose the "Web application" option as the application type.
Enter a name for your OAuth client, and in the "Authorized redirect URIs" field, specify the redirect URL provided by Solar Archive. You can find this in (Solar Archive “SSO OAuth” panel)
Click "Create" to generate the Client ID and secret values for the OAuth Client.
We can now complete the Solar Archive settings as follows:
Authorization URL:
https://accounts.google.com/o/oauth2/v2/auth
Access Token URL:
https://oauth2.googleapis.com/token
User Detail URL:
https://www.googleapis.com/oauth2/v1/userinfo
Please Note these values can be obtained from this link: https://accounts.google.com/.well-known/openid-configuration User Detail Attributes*
Username:
email
Mail:
email
Firstname:
given_name
Lastname:
family_name
Secondary Addresses:
email
* NOTE: This set of Attributes will be pre-filled (or hidden) if the “Provider Type” is set to the (recently added) Google
Step 4: Link the OAuth Client ID to your Workspace
Access your Google Workspace administration area (admin.google.com) as an administrator.
In the admin console, navigate to "Security" and then "API controls".
Click on "Manage third-party app access" to add the OAuth Client ID to the list of allowed apps.
Click "Add app" and select "OAuth App Name or Client ID".
Enter the Client ID obtained from the Google API Console and click "Select" to add the app.
Review and confirm the authorization to grant access to the Solar Archive app with the specified Client ID.
Step 5: Integrate Solar Archive Login Page
After completing the previous steps, the Solar Archive login page will automatically display an additional "Login With [OAuth connection name]" button, where the connection name corresponds to the OAuth Client name.
Step 6: Set up Google Service Account for IMAP / Mailbox Reader
Go back to the Google API Console and click on "Create Credentials".
Select "Service Account" and provide a name for your Service Account.
Assign the required role to the Service Account, such as "Project" > "Editor" to grant access to user mailboxes.
Click "Continue" and then "Create Key".
Choose the key type as JSON and click "Create" to obtain the JSON key file containing authentication details for the Service Account.
Step 7: Configure Solar Archive Settings
Log in to Solar Archive as an administrator.
Navigate to "Advanced Configuration" > "SSO - OAuth" panel.
Click "Create New Connection" and select the Provider Type as "OpenID Connect".
Enter a meaningful Connection Name and choose "Web application" as the type.
Paste the complete text of the JSON key file into the appropriate field.
Save the connection to complete the setup.
Step 8: Link the Service Account to your Workspace
Go back to your Google Workspace admin console.
Navigate to "Security" > "API controls" > "Domain-Wide Delegation".
Click "Add new" and paste the Client ID (Unique ID) obtained from the Google API Console.
Specify the necessary "OAuth scopes" (e.g., https://mail.google.com, Email, Profile) that the Service Account requires access to.
Click "Authorize" to grant the required permissions to the Service Account.
The Service Account is now successfully linked to your Workspace and has access to user mailbox data.
Last updated