Configure OAuth for a Google BigQuery connection

Learn how to configure OAuth in your Google Cloud project. In order to use the OAuth authentication type for a Google BigQuery connection in ThoughtSpot, you must complete these steps. These steps are a representative example that serve as a guide to set up OAuth credentials in your Google Cloud project. For more information, refer to the official Google documentation links provided at the end of this article.

Each ThoughtSpot instance requires a unique BigQuery security integration. Each user in BigQuery must have a default warehouse and default role.

The following sections describe how to configure an OAuth consent screen and generate OAuth credentials. If you’ve already configured an OAuth consent screen for another application in your project, you won’t need to create another; you configure only one consent screen for all applications in a project.

For more information about configuring the Google OAuth consent screen, see the Google Support documentation.

  1. Sign in to your Google Cloud project.

  2. In the left menu, select APIs & Services and click OAuth consent screen.

    Select OAuth consent screen

  3. For User Type, select External, and click Create.

    Select External for User type

  4. Google displays the OAuth consent screen page. Fill out the fields as follows:

    1. For App name, enter the name of the application. In this case, the name is ThoughtSpot_GBQ.

    2. For User support email, enter the support email that users should contact with login or consent issues.

      Consent screen page

    3. Click + ADD DOMAIN to reveal the Authorized domain 1 field. In this field, enter the domain of the URL to your ThoughtSpot instance. For example, if ThoughtSpot hosts your instance at https://<instance_name>.thoughtspot.cloud, the domain is thoughtspot.cloud.com.

      Add authorized domain

    4. In the Developer contact information section, enter one or more emails addresses that Google can use to contact you about your project. The remaining fields are optional, but you can use them to further customize your consent screen.

      Developer email

  5. Click SAVE AND CONTINUE.

  6. Google displays the Scopes page. You can add scopes as shown in the following image. Click SAVE AND CONTINUE.

    Add scopes

  7. The scope selected in the following image is sufficient to create a connection and view data in BigQuery.

    https://www.googleapis.com/auth/bigquery.readonly

    Update selected scopes

  8. On the Summary page, click BACK TO DASHBOARD.

Generate Google OAuth credentials

  1. Go to the Google Cloud console.

  2. In the left menu, select the APIs & Services page. Then click Credentials.

    Credentials

  3. On the Credentials page, click the down arrow in the Create credentials button, and select OAuth client ID from the dropdown menu.

    OAuth client ID

  4. If you’ve already configured an OAuth consent screen, Google displays the Create OAuth client ID page, which lets you create and OAuth client ID and client secret to use in your Google BigQuery connection in ThoughtSpot.

  5. From the Application type dropdown, select Web application. The page expands to display additional options.

    Select web application as application type

    Fields to create an OAuth client ID

    1. For Name, enter a name for the app, such as ConnectionsOAuth.

    2. The Authorized Javascript origins section is optional, unless you are redirecting using javascript.

    3. For Authorized redirect URIS, click + ADD URI to display the URIs 1 field. For URIs 1, enter the URL to your ThoughtSpot instance, followed by /callosum/v1/connection/generateTokens.
      For example,
      https://thoughtspot.cloud/callosum/v1/connection/generateTokens.

      Authorized redirect URI

      If your IdP supports rotation of refresh tokens with every usage, please ensure that this option is NOT chosen. ThoughtSpot does not support one-time use refresh tokens.

  6. Click Create. Google displays your Client ID and your Client Secret in a pop-up dialog box.

    Client ID and Client secret

  7. Copy your client ID and your client secret values. You will need them to configure OAuth for the BigQuery connection in ThoughtSpot.

Logging in to a connection created by another user using OAuth

As an admin user, you may run into an issue logging in to connections created using OAuth. To resolve this issue, complete the following steps:

  1. Search on a table belonging to the connection you are trying to edit. The following error appears:

    Error reading “Error in loading data. Connection to Snowflake could not be established. OAuth login required. Login”

  2. Click Login. You will be directed to the IDP login page.

  3. Enter your login credentials.

  4. You will now have access to edit the connection.

References

OAuth connection improvements

If you do not have a valid OAuth access token, you can now directly navigate to the OAuth authorization screen when performing one of the following actions on a connection shared with you:

  • View sample data

  • Create a custom SQL view

  • Edit the connection

Related information

Was this page helpful?
×