Creates an OAuth client ID in Google Cloud.
This is a Nullstone capability that attaches to an application. It provisions a
google_iam_oauth_client
(and, for confidential clients, a
google_iam_oauth_client_credential)
and injects the resulting client ID, secret, and standard Google OAuth endpoints
into the application as environment variables and secrets.
The type variable accepts the
Application types shown in the
Google Cloud console. The underlying Terraform resource only models a client_type
of CONFIDENTIAL_CLIENT or PUBLIC_CLIENT, so each application type is mapped as
follows:
type |
client_type |
Client secret? |
|---|---|---|
Web application (default) |
CONFIDENTIAL_CLIENT |
Yes |
Desktop app |
CONFIDENTIAL_CLIENT |
Yes |
Android |
PUBLIC_CLIENT |
No |
iOS |
PUBLIC_CLIENT |
No |
Chrome Extension |
PUBLIC_CLIENT |
No |
TVs and Limited Input devices |
PUBLIC_CLIENT |
No |
Public clients have no client secret. For those, the credential resource is not
created and OAUTH_CLIENT_SECRET is emitted as a single space (" ").
Note: The Terraform resource does not support the console's per-platform fields (authorized JavaScript origins, Android package name + SHA-1, iOS bundle ID, Chrome extension ID, etc.). Only redirect URIs and scopes are configurable.
| Variable | Type | Default | Description |
|---|---|---|---|
type |
string |
"Web application" |
OAuth application type (see table above). |
redirect_uris |
list(string) |
[] |
URIs allowed to redirect back when the authorization process completes. Supports interpolation (see below). |
scopes |
list(string) |
["openid", "email", "profile"] |
Scopes the OAuth client is allowed to request. |
Each entry in redirect_uris supports the following Nullstone interpolation tokens,
which are resolved at apply time from the workspace context:
| Token | Resolves to |
|---|---|
{{ NULLSTONE_STACK }} |
Stack name |
{{ NULLSTONE_ENV }} |
Environment name |
{{ NULLSTONE_APP }} |
App (block) name |
{{ NULLSTONE_BLOCK }} |
App (block) name |
Example:
redirect_uris = ["https://{{ NULLSTONE_APP }}-{{ NULLSTONE_ENV }}.example.com/callback"]| Variable | Description |
|---|---|
OAUTH_CLIENT_ID |
The generated OAuth client ID. |
OAUTH_AUTH_URL |
Google authorization endpoint (.../o/oauth2/v2/auth). |
OAUTH_TOKEN_URL |
Google token endpoint (oauth2.googleapis.com/token). |
OAUTH_API_URL |
Google OpenID Connect userinfo endpoint. |
OAUTH_SCOPES |
Space-delimited list of the configured scopes. |
| Secret | Description |
|---|---|
OAUTH_CLIENT_SECRET |
The OAuth client secret. Empty (" ") for public client types. |
The OAuth endpoints are the same for every Google OAuth client and come from Google's OpenID Connect discovery document.