Create or select a Google Cloud project
To use Admin SDK API with OAuth 2.0, you need a Google Cloud project.
Sign in to Google Cloud
Sign in to your Google Cloud Console.
Enable the Admin SDK API
Enable the Admin SDK API for your project. This step is required whether you created a new project or selected an existing one.
Configure Google Auth Platform
Before creating OAuth credentials, ensure Google Auth Platform is configured.
Navigate to Google Auth Platform
In the Google Cloud Console, go to APIs & Services > OAuth consent screen. This will open the Google Auth Platform dashboard.
Start configuration
If you have already configured Auth Platform (the OAuth Overview page with usage metrics is shown), skip this step and navigate to the Branding page from the sidebar. Otherwise, you will see a Get started button — click it to begin the configuration process.
Enter app information
Fill in the required fields for your application.
- App name: Enter a name for your application (e.g., StackOne Integration).
- User support email: Select an email for user inquiries.
- Click Next to continue.
Select audience
Choose the appropriate user type for your application.
- Internal: Only users within your Google Workspace organization can authorize (no app verification required).
- External: Any Google account can authorize (requires app verification for production use).
- Click Next to continue.
Enter contact information
Provide email addresses for Google to notify you about any changes to your project. Click Next to continue.
Configure scopes
In Google Auth Platform, go to Data Access and click Add or Remove Scopes to configure the OAuth scopes your application needs.
Add scopes
Add scopes based on the Google Directory resources you need to access. Each resource has a read-write scope for full management and a read-only scope for read-only access.
- User management (list, get, create, update, delete users):
https://www.googleapis.com/auth/admin.directory.useroradmin.directory.user.readonlyfor read-only - Group management (list, get, create, update, delete groups):
https://www.googleapis.com/auth/admin.directory.grouporadmin.directory.group.readonlyfor read-only - Organizational unit management (list, get, create, update, delete org units):
https://www.googleapis.com/auth/admin.directory.orgunitoradmin.directory.orgunit.readonlyfor read-only - Domain management (list, get domains):
https://www.googleapis.com/auth/admin.directory.domainoradmin.directory.domain.readonlyfor read-only - Connection identity (unified_get_me):
https://www.googleapis.com/auth/userinfo.email— populates the email/name on the IAM credentials record. Without this scope the name field is null.
Select scopes from the list
In the Update selected scopes side panel that opens, check the required scopes from the list.
Manually add scopes (if needed)
If a required scope is not shown in the list, use the Manually add scopes section.
- Enter the full scope URL in the input field.
- Click Add to table.
Apply and save
Confirm and persist your scope configuration.
- Click Update to apply the selected scopes. The side panel will close.
- On the Data Access page, click Save to persist the scope configuration.
Understand admin privilege requirements
Adding the correct OAuth scope is necessary but not sufficient for user management actions. If you receive a 403 Forbidden error when running actions such as listing or getting users, this indicates the Google account used to authorize the connection does not have the required admin role in Google Workspace.
The Google Directory API requires the authenticated account to have Super Admin or an appropriate Delegated Admin role in your Google Workspace organization. To resolve this, ensure the account used to connect is assigned the Super Admin role or the relevant delegated admin privilege in the Google Admin Console.
Create OAuth 2.0 client credentials
Set up OAuth client credentials to authenticate with Admin SDK API. If you already have an existing OAuth 2.0 client, you can reuse it by adding the StackOne redirect URI and generating a new secret.
Option A — Create a new OAuth client
Skip this step if you are using an existing client.
- Click + Create Credentials and select OAuth client ID.
- Select Web application as the application type.
- Enter a Name for your OAuth client (e.g., StackOne Directory Integration).
- Under Authorized redirect URIs, click Add URI and enter
https://api.stackone.com/connect/oauth2/googledirectory/callback. - Click Create. A dialog will display your Client ID and Client Secret — copy and store them securely.
Option B — Use an existing OAuth client
Skip this step if you created a new client above.
- Click on your existing OAuth 2.0 client ID from the list.
- Under Authorized redirect URIs, click Add URI, enter
https://api.stackone.com/connect/oauth2/googledirectory/callback, and click Save. - Under Client secrets, click + Add secret to generate a new secret. Copy it and store it securely — it will not be shown again.
- Your Client ID is shown on the same page under Additional information.
Creating the StackOne Connector Profile
To create the Connector Profile in StackOne for Google Directory:Navigate to Connector Profiles
Create New Connector Profile
- Click + Connector Profile
- Search for and select Google Directory
- Select Type as OAuth 2.0
- Fill out the fields using details retrieved from your provider:
- Client ID
- Client Secret
- Scopes (Optional)
- (Optional) Select Actions to be enabled for this Connector Profile
- Click Create profile