Authenticate installed apps with user accounts
This guide explains how to authenticate by using user accounts for access to the BigQuery API when your app is installed onto users' machines.
To ensure the app accesses only BigQuery tables that are available to the end user, authenticate by using a user credential. A user credential can run queries against only the end user's Cloud de Confiance by S3NS project rather than the app's project. As a result, the user is billed for queries instead of the app.
Before you begin
- Create a Cloud de Confiance project that represents your installed app.
- Install the BigQuery client libraries.
-
Install authentication libraries.
Java
If you are using Maven, include the following dependencies in your pom file.
Python
Install the oauthlib integration for Google Auth.
pip install --upgrade google-auth-oauthlib
Node.js
Install the oauthlib integration for Google Auth.
npm install google-auth-library
npm install readline-promise
Set up your client credentials
Use the following button to select a project and create the required credentials.Manually create credentials
- Go to the Credentials page in the Cloud de Confiance console.
- Fill out the required fields on the OAuth consent screen.
-
On the Credentials
page, click the Create credentials button.
Choose OAuth client ID.
- Select Desktop as the app type, and then click Create.
-
Download the credentials by clicking the Download JSON button.
Save the credentials file to
client_secrets.json
. This file must be distributed with your app.
Authenticate and call the API
-
Use the client credentials to perform the
OAuth 2.0
flow.
Java
Python
Node.js
-
Use the authenticated credentials to connect to the BigQuery API.
Java
Python
Node.js
When you run the sample code, it launches a browser that requests access to the project that is associated with the client secrets. You can use the resulting credentials to access the user's BigQuery resources because the sample requested the BigQuery scope.