Skip to main content

Celonis Product Documentation

Connecting to Google services using custom OAuth client

This article will show you how to create your own project in Google Cloud Console and a custom OAuth client. This is useful for connecting restricted Google services, like Google Drive or Gmail, to Execution Management System..

Note

The following procedure is intended for:

  • Personal use (@gmail.com and @googlemail.com users)

  • Internal use (Google Workspace (formerly GSuite) users that prefer to use a custom OAuth client)

Prerequisites:

  • a Google account

Follow these steps to create a custom OAuth client for Google services:

  1. Sign in to Google Cloud Platform using your Google credentials.

  2. Open the Dashboard, and click the CREATE PROJECT button.

    61d5ae6b42059.gif
  3. Choose a name for your project, then click Create.

    googleOAuthCreateProject.png
  4. Click Enable APIs and services.

    googleOAuth2EnableAPIs.png
  5. In the Enable APIs and services field, enter the name of the service you want to use (for example, Gmail API, Google Drive API, or YouTube Data API v3).

  6. The desired service option should display as you type. Click the API/service you want to connect to Execution Management System.

    googleOAuth2SearchAPIs.png
  7. Click Enable.

    googleOAuth2ClickEnable.png
  8. Go to APIs & Services > OAuth consent screen settings, choose the External option, then click Create.

    googleOAuth2CreateConsentScreen.png

    Note

    You will not be charged when selecting this option. For more details, refer to Google's Exceptions to verification requirements.

  9. Fill in the required fields as follows:

    For OAuth consent screen section:

    Application name

    Enter the name of the app asking for consent.

    For example, Celonis.

    User Support Email

    Select your email.

    Authorized domains

    celonis.com

    Developer contact information

    Enter your email.

  10. For the Scopes section:

    Click the Add or Remove Scopes button to add the required scopes.

    Scopes for Google APIs

    Enter the required scopes for the Google service you want to connect to Execution Management System by checking the corresponding box for each required scope.

    61d5ae78ae71f.gif

    SERVICE/API

    REQUIRED SCOPES

    Gmail

    • https://mail.google.com/

    • https://www.googleapis.com/auth/gmail.labels

    • https://www.googleapis.com/auth/gmail.send

    • https://www.googleapis.com/auth/gmail.readonly

    • https://www.googleapis.com/auth/gmail.compose

    • https://www.googleapis.com/auth/gmail.insert

    • https://www.googleapis.com/auth/gmail.modify

    • https://www.googleapis.com/auth/gmail.metadata

    Google Drive

    • https://www.googleapis.com/auth/drive

    • https://www.googleapis.com/auth/drive.readonly

    For the Test Users section:

    Note

    The Optional Info section is displayed only for non-Google Workspace users and does not contain any required fields.

    Warning

    This step is required, otherwise, you won't be able to establish a connection with Execution Management System.

    Click Add users to add the email address associated with the Google account you want to connect to Execution Management System.

  11. Open the Credentials settings page.

    Note

    If this is not the first API/SERVICE (Gmail or Google Drive) you have enabled, you don't have to create credentials, as you have already created the credentials previously.

  12. Click + Create credentials, and select the OAuth client ID option.

    googleOAuth2CreateCredentials.png
  13. Fill in the required fields as follows, then click Create.

    Application type

    Web application

    Name

    Enter the name you want for your application.

    Authorized redirect URIs

    Add one of the following URIs:

    • https://auth.redirect.celonis.cloud/oauth/cb/google-restricted - for Gmail or Google Drive

    • https://auth.redirect.celonis.cloud/oauth/cb/google/ - for other Google apps

    OAuth redirect URI domain

    Notice that the redirect URI starts with https://www.integromat.com instead of https://www.make.com. This is currently a known issue in Make.

    Make was formerly called Integromat, which means you can trust this URL as much as any Make URL.

  14. A dialog containing the app's Client ID and Client Secret is displayed.

  15. Go to your Execution Management System Action Flow and choose the Google module you want to use.

  16. Next to Connection, click Add.

  17. Click Show advanced settings.

    googleOAuth2EnterCredentials.png
  18. Enter the Client ID and Client Secret you retrieved in step 14 (above) to the respective fields, then click Continue.

  19. Sign in with your Google account.

  20. The This app isn't verified window appears.

    Note

    The app = your OAuth client you have created above.

    Click Advanced, and then on the Go to Execution Management System (unsafe) link to allow access using your custom OAuth client.

    googleOAuth2GoogleHasntVerified.png
  21. Click Allow to grant Execution Management System permission.

  22. Click Allow to confirm your choices.

You have now established the connection to the desired Google service using a custom OAuth client.

Common Problems

This happens rarely, but when it does, we recommend creating another OAuth client.

If this error message appears, you need to enable the corresponding API in your Google Cloud Platform.

61d5ae8624010.png
61d5ae8733e63.png

Google has added the required settings for the Consent screen. You'll need to add the email address associated with the Google account you want to connect with Execution Management System as a Test user.

  1. Sign in to the Google Cloud Platform using your Google credentials.

  2. Go to APIs & Services > OAuth consent screen.

  3. In the Test Users section, click Add users to add a test user. Enter the email address associated with the Google account you want to connect with Execution Management System, and click Save.

    61d5ae88bf8bf.gif
  4. Now, go to Execution Management System, and connect to the desired Google service.

Your connection has expired and is no longer valid. You need to reauthorize the connection.

This error affects non-Google Workspace accounts. For more details please refer to the Google OAuth documentation.

Solution

Note

Our tests have shown that it is currently possible to set your Publishing Status to In Production to avoid this weekly re-authentication.

In the Google Console click API &Services > OAuth consent screen. Under Publishing status, click Publish App and then Confirm.

Reauthorize your Google connection by following these steps:

  1. Log in to Execution Management System.

  2. Go to Connections.

  3. Find your Google connection and click Reauthorize button.

    Note

    To prevent the expiration of your Google connection, we suggest you to reauthorize the connection every week.