Change Google OAuth to Saved Credentials

By default, the Google Analytics, Google BigQuery and Google Sheets connectors use a managed keychain for OAuth tokens that are generated for Tableau Server by the provider and shared by all users on the same site.

You can convert the connectors that use managed keychain to use saved credentials by configuring Tableau Server with an OAuth client ID and secret for each connector. For more information about managed keychain and saved credentials, see OAuth Connections.

This topic describes how to set up your Google Analytics, Google BigQuery and Google Sheets connections for OAuth with saved credentials. Complete these steps for each Tableau Server instance.

Note: All Google-based connectors require either managed keychain, server-wide OAuth or site-specific OAuth. If using site-specific OAuth, each site must be configured individually.

Set up OAuth by following these general steps:

  1. Enable API access and create an access token from Google.
  2. Use the information you obtained in step 1 to configure Tableau Server.
  3. (Optional) Configure site-specific OAuth.
  4. Create and edit a Google data source.

Obtain a client ID and enable Google APIs

Note These steps reflect the settings in the Google Cloud Platform console at the time of this writing. For more information, see Using OAuth 2.0 for Web Server Applications(Link opens in a new window) in the Google Developers Console Help.

  1. Sign in to Google Cloud Platform(Link opens in a new window), and then click Go to my console.

  2. On the drop-down menu, Select a Project, select Create project.

  3. In the new project form that appears, complete the following:

    • Give the project a meaningful name that reflects the Tableau Server instance for which you’ll use this project.

    • Determine whether you want to change the project ID.

      Note After you create the project, you will not be able to change the project ID. For information, click the question mark icons.

  4. Open the new project, navigate to APIs & Services > OAuth consent screen. and select the User Type.

  5. Click the OAuth consent screen tab and then enter a meaningful name for Product name shown to users.

  6. Click Credentials and click the Create Credentials tab, then click OAuth client ID.

  7. On the Create OAuth client ID screen, fill out the required fields. Follow the steps to authorise your OAuth tokens:

    • Select Web Application.

    • Enter a client Name.

    • For Authorised JavaScript Origins, click ADD URI and enter the local computer name of your Tableau Server.

    • For Authorised redirect URIs, click ADD URI and replace the example text with the Internet address for your Tableau Server, and add the following text to the end of it: auth/add_oauth_token. For example:

      https://your_server_url.com/auth/add_oauth_token

  8. Copy the Authorised Redirect URI, and paste it in a location that you can access from your Tableau Server computer.

  9. Click Create .

  10. Copy the following values that Google returns, and paste them in a location that you can access from your Tableau Server computer:

    • Client ID
    • Client secret
  11. In APIs ManagerDashboards, verify that BigQuery APIGoogle Drive API (to enable Google Sheets) or Analytics API is enabled. To enable APIs, click ENABLE API at the top of the page.

Configure Tableau Server for Google OAuth

Using the information you obtained by completing the steps in Obtain a client ID and enable Google APIs, configure your Tableau Server:

  • On the Tableau Server computer, open the shell and run the following commands to specify the access token and URI:

    tsm configuration set -k oauth.google.client_id -v <your_client_ID>

    tsm configuration set -k oauth.google.client_secret -v <your_client_secret>

    tsm configuration set -k oauth.google.redirect_uri -v <your_authorized_redirect_URI>

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configure custom OAuth for a site

You can configure a custom Google OAuth client for a site.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://myco.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Create and edit Google data source

Next, you must publish the Google data sources to the server. For example, see the Tableau Desktop topic, Google BigQuery(Link opens in a new window).

After you've published the data sources, the final step is to edit the data source connection to use the embedded access token that you configured earlier. See Edit Connections on Tableau Server.

Managing access tokens

After you configure the server for OAuth, you can allow users to manage their own access tokens in their profile settings, or you can manage the tokens centrally. For more information, see Allow Saved Access Tokens.

Thanks for your feedback!