Dev guideRecipesUser Guides
Dev guideRecipesAPI ReferenceChangelog
Dev guideRecipesUser GuidesNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev guide
NuGetDev CommunityOptimizely AcademySubmit a ticket

Google Cloud Console provider

How to configure and authenticate using Google Cloud Console.

Use Google Cloud Console as the OpenID Connect (OIDC) identity provider for Optimizely Graph so your team can sign in with existing Google credentials and authorize Graph API requests against tokens that Google issues. This walkthrough covers creating the Google project, registering the provider with Optimizely Graph, and authenticating with the resulting JSON Web Token (JWT).

Prerequisites

A Google account is required to create the project and OAuth 2.0 client used in the following steps.

Configure a Google project

Create a Google Cloud project and capture the OAuth 2.0 Client ID so Optimizely Graph can trust tokens issued by Google.

  1. Go to the Google Cloud Console.

  2. Create a project. For this example, the project is named Doligence.

    Screenshot of the Google Cloud Console where a project named Doligence is being created.

  3. Open the OAuth 2.0 Client ID section.

  4. Click your app to get the Client ID value, which is used as the audience.

    Screenshot of the Google Cloud Console OAuth 2.0 Client ID section where the Client ID is displayed.

  5. Record the Google OIDC values for the next section:

    • issuerhttps://accounts.google.com
    • audience{Client ID}

Register the Google provider with Optimizely Graph

Register the Google OIDC configuration with Optimizely Graph so Graph can validate JWTs issued by Google. Send a PUT request to the OIDC config URL https://cg.optimizely.com/api/config/oidc with an epi-hmac or basic authorization header.

curl -XPUT \
  -H 'Authorization: Basic {appKey}:{secret}' \
  -d '{
    "issuer": "https://accounts.google.com",
    "audience": "{Client ID}",
  }' https://cg.optimizely.com/api/config/oidc

Authenticate with Google provider

Authenticate against Google to obtain the JWT that Optimizely Graph validates on each API request. After you authenticate, your JWT payload should have issuer and audience claims.

{
  "iss": "https://accounts.google.com",
  "azp": "427566697749-3knhnkfnk8v2j8t60shg8nolg0trqku2.apps.googleusercontent.com",
  "aud": "427566697749-3knhnkfnk8v2j8t60shg8nolg0trqku2.apps.googleusercontent.com",
  "sub": "109839210343031985739",
  "email": "[email protected]",
  "email_verified": true,
  "at_hash": "lyY-RI72YgsRHIuMDc6CGw",
  "name": "Quang Tran",
  "picture": "https://lh3.googleusercontent.com/a/ACg8ocLaTr3pV1TSLcBQZrjtmSvn2TDRYtLKKAhX7DUN_dQo=s96-c",
  "given_name": "Manh Quang",
  "family_name": "Tran",
  "locale": "en",
  "iat": 1696840635,
  "exp": 1696844235
}
// this is id_token payload: eyJhbGciOiJSUzI1NiIsImtpZCI6ImM2MjYzZDA5NzQ1YjUwMzJlNTdmYTZlMWQwNDFiNzdhNTQwNjZkYmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0Mjc1NjY2OTc3NDktM2tuaG5rZm5rOHYyajh0NjBzaGc4bm9sZzB0cnFrdTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0Mjc1NjY2OTc3NDktM2tuaG5rZm5rOHYyajh0NjBzaGc4bm9sZzB0cnFrdTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDk4MzkyMTAzNDMwMzE5ODU3MzkiLCJlbWFpbCI6Im1hbmhxdWFuZy5mcHRAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJseVktUkk3Mllnc1JISXVNRGM2Q0d3IiwibmFtZSI6Ik1hbmggUXVhbmcgVHJhbiIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NMYVRyM3BWMVRTTGNCUVpyanRtU3ZuMlREUll0TEtLQWhYN0RVTl9kUW89czk2LWMiLCJnaXZlbl9uYW1lIjoiTWFuaCBRdWFuZyIsImZhbWlseV9uYW1lIjoiVHJhbiIsImxvY2FsZSI6ImVuIiwiaWF0IjoxNjk2ODQwNjM1LCJleHAiOjE2OTY4NDQyMzV9.zQFSSLm3XKPs1kC3_7IgIfdJlxYAglQlLn-9Zs1NL2r5uQsMne2sxjSEN3u6Ia063Rrs5R3fpUcTo-SdoRnkn0lYN3V4WVxTa4AVq4_JE9SrFODof6L6XQ44QjmHJzdACjXvH-w46HBtfwuXA53yOPZLlANm4-JZtngikZdUKo7gUKvX1IHGZB3hjue-h8svwAI2W0bomLvuoVgPyurZUV1UD4aMXxOeMwpPAKJtnpS6YCwd6nngcdlU_tBYjusviGpHbXBLGsivx8-ykRb62ZgaY4RZ9uvQ51OscnW1z6gS-ULAuoZq4rsNRXxKr1h7F6LXDXBMAptqM5qqcp8tEA
// the token must contain iss and aud value

Authorize with Optimizely Graph

Send your GraphQL query to the query endpoint with the JWT token payload you received in the previous step.

curl --location 'https://cg.optimizely.com/content/v2?tenant_id=f26abab66d914405b839f6daa69d6c28' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImM2MjYzZDA5NzQ1YjUwMzJlNTdmYTZlMWQwNDFiNzdhNTQwNjZkYmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0Mjc1NjY2OTc3NDktM2tuaG5rZm5rOHYyajh0NjBzaGc4bm9sZzB0cnFrdTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0Mjc1NjY2OTc3NDktM2tuaG5rZm5rOHYyajh0NjBzaGc4bm9sZzB0cnFrdTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDk4MzkyMTAzNDMwMzE5ODU3MzkiLCJlbWFpbCI6Im1hbmhxdWFuZy5mcHRAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJseVktUkk3Mllnc1JISXVNRGM2Q0d3IiwibmFtZSI6Ik1hbmggUXVhbmcgVHJhbiIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NMYVRyM3BWMVRTTGNCUVpyanRtU3ZuMlREUll0TEtLQWhYN0RVTl9kUW89czk2LWMiLCJnaXZlbl9uYW1lIjoiTWFuaCBRdWFuZyIsImZhbWlseV9uYW1lIjoiVHJhbiIsImxvY2FsZSI6ImVuIiwiaWF0IjoxNjk2ODQwNjM1LCJleHAiOjE2OTY4NDQyMzV9.zQFSSLm3XKPs1kC3_7IgIfdJlxYAglQlLn-9Zs1NL2r5uQsMne2sxjSEN3u6Ia063Rrs5R3fpUcTo-SdoRnkn0lYN3V4WVxTa4AVq4_JE9SrFODof6L6XQ44QjmHJzdACjXvH-w46HBtfwuXA53yOPZLlANm4-JZtngikZdUKo7gUKvX1IHGZB3hjue-h8svwAI2W0bomLvuoVgPyurZUV1UD4aMXxOeMwpPAKJtnpS6YCwd6nngcdlU_tBYjusviGpHbXBLGsivx8-ykRb62ZgaY4RZ9uvQ51OscnW1z6gS-ULAuoZq4rsNRXxKr1h7F6LXDXBMAptqM5qqcp8tEA' \
--header 'Content-Type: application/json' \
--data '{"query":"{\n    Content {\n        items {\n            Name\n        }\n    }\n}","variables":{}}'

Updated 10 days ago