Set up OAuth for Google
By default, the Google Analytics, Google BigQuery and Google Sheets (deprecated in Tableau version 2022.1) connectors use a managed keychain for OAuth tokens that are generated for Tableau Server by the provider and shared by all users on the same site.
You can convert the connectors that use managed keychain to use saved credentials by configuring Tableau Server with an OAuth client ID and secret for each connector.
This topic describes how to set up your Google Analytics, Google BigQuery and Google Sheets connections for OAuth with saved credentials. Complete these steps for each Tableau Server instance.
Note: Google Drive connections use saved credentials by default and, starting in Tableau 2022.3, require Tableau Server to be set up with an OAuth client ID and secret for Google.
For more information about managed keychain and saved credentials, see OAuth Connections
Notes:
- All Google-based connectors require managed keychain (default), server-wide OAuth or site-specific OAuth.
- To use saved credentials for a site, server-wide OAuth must be configured first.
- Server-wide OAuth can be used whether site-wide OAuth is configured.
- If using site-specific OAuth, each site must be configured individually.
- To support live connection prompts, editing connections and web authoring, convert managed keychain to saved credentials to avoid errors.
Summary of steps
Set up OAuth by following these general steps:
- Enable API access and create an access token from Google.
- Use the information you obtained in step 1 to configure Tableau Server.
- (Optional) Configure site-specific OAuth.
- Create and edit a Google data source.
Obtain a client ID and enable Google APIs
Note These steps reflect the settings in the Google Cloud Platform console at the time of this writing. For more information, see Using OAuth 2.0 for Web Server Applications(Link opens in a new window) in the Google Developers Console Help.
Sign in to Google Cloud Platform(Link opens in a new window), and then click Go to my console.
On the drop-down menu, Select a Project and select Create project.
In the new project form that appears, complete the following:
Give the project a meaningful name that reflects the Tableau Server instance for which you’ll use this project.
Determine whether you want to change the project ID.
Note After you create the project, you won’t be able to change the project ID. For more information, click the question mark icons.
Open the new project, navigate to APIs & Services > OAuth consent screen. and select the User Type.
Click the OAuth consent screen tab and then enter a meaningful name for the Product name shown to users.
Click Credentials and click the Create Credentials tab, then click OAuth client ID.
On the Create OAuth client ID screen, fill out the required fields. Follow the steps to authorise your OAuth tokens:
Select Web Application.
Enter a client Name.
For Authorised JavaScript Origins, click ADD URI and enter the Tableau Server domain name using HTTP or HTTPS.
For Authorised redirect URIs, click ADD URI and replace the example text with the internet address for your Tableau Server, and add the following text to the end of it: auth/add_oauth_token. For example:
https://your_server_url.com/auth/add_oauth_token
Copy the Authorised Redirect URI, and paste it in a location that you can access from your Tableau Server computer.
Click Create .
Copy the following values that Google returns, and paste them in a location that you can access from your Tableau Server computer:
- Client ID
- Client secret
In APIs & services, verify that BigQuery API, Google Drive API (to enable Google Sheets) or Analytics API is enabled. To enable APIs, click ENABLE API at the top of the page.
Note: To establish a connection between Tableau Server and Google Analytics 4, you must enable both the Google Analytics Admin API and the Google Analytics Data API in the Google console. By adding these APIs, you can prevent any potential permissions errors that may arise during the process.
Configure Tableau Server for Google OAuth
Using the information you obtained by completing the steps in Obtain a client ID and enable Google APIs, configure your Tableau Server:
On the Tableau Server computer, open the shell and run the following commands to specify the access token and URI:
tsm configuration set -k oauth.google.client_id -v <your_client_ID>
tsm configuration set -k oauth.google.client_secret -v <your_client_secret>
tsm configuration set -k oauth.google.redirect_uri -v <your_authorized_redirect_URI>
tsm pending-changes apply
If the pending changes require a server restart, the
pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the--ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
Configure custom OAuth for a site
You can configure a custom Google OAuth client for a site.
Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.
When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.
Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.
1: Prepare the OAuth client ID, client secret and redirect URL
Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.
OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.
Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.
https://<your_server_name>.com/auth/add_oauth_token
For example, https://example.com/auth/add_oauth_token
2: Register the OAuth client ID and client secret
Follow the procedure described below to register the custom OAuth client to the site.
Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.
Under OAuth Clients Registry, click the Add OAuth Client button.
Enter the required information, including the information from Step 1 above:
For Connection Type, select the connector whose custom OAuth client you want to configure.
OAuth Instance URL is required if multiple OAuth clients are being registered. Otherwise, it is optional.
For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.
Click the Add OAuth Client button to complete the registration process.
(Optional) Repeat step 3 for all supported connectors.
- Click the Save button at the bottom or top of the Settings page to save changes.
3: Validate and update saved credentials
To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.
Navigate to your My Account Settings page.
Under Saved Credentials for Data Sources, do the following:
Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.
Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.
4: Notify users to update their saved credentials
Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.
Create and edit Google data source
Next, you must publish the Google data sources to the server. For example, see the Tableau Desktop topic, Google BigQuery(Link opens in a new window).
After you've published the data sources, the final step is to edit the data source connection to use the embedded access token that you configured earlier. See Edit Connections on Tableau Server.
Managing access tokens
After you configure the server for OAuth, you can allow users to manage their own access tokens in their profile settings, or you can manage the tokens centrally. For more information, see Allow Saved Access Tokens.
Forward proxy for OAuth authentication
For more information about setting up a forward proxy with OAuth authentication for Tableau Server (Windows only), see Configure a Forward Proxy for OAuth Authentication(Link opens in a new window) in the Tableau Help.