Google Cloud OAuth
Configure the Google OAuth app used by browser-based GCP deployments.
The GCP deployment portal can let a customer's admin deploy from the browser by signing in with Google. Alien uses the Google OAuth token only for the one-time bootstrap, then hands ongoing management to the scoped service account created during setup.
Default Provider
Projects can use Alien's managed Google OAuth app by default. This is the fastest path when you do not need custom consent-screen branding.
The app requests the cloud-platform scope because initial setup may need to enable APIs, create service accounts, add IAM bindings, and create frozen infrastructure resources.
White-Labeled Provider
For a white-labeled deployment page, configure a custom Google OAuth provider on the project. Google shows the consent screen branding from the GCP project that owns the OAuth client, so a custom deployment page should use a dedicated GCP project with its own Auth Platform brand and OAuth web client.
Create a Google OAuth web client with the redirect URI shown in the project's deployment page settings. The URI points at the selected manager:
https://<manager-host>/v1/gcp/oauth/callbackThen open the project's deployment page settings and select Custom app under Google Cloud OAuth. Enter the client ID and client secret from Google Cloud Console.
Security Model
Alien does not return the OAuth access token to the browser. The manager stores it only in a short-lived deployment session, uses it for the bootstrap, and deletes the session after one attempt.
After bootstrap, ongoing deployment management uses the service account and impersonation model created inside the customer's GCP project. The OAuth client is only for the initial setup flow.
Use a separate OAuth app for ordinary dashboard sign-in. The deployment bootstrap app needs broad Google Cloud permissions, while dashboard sign-in usually only needs identity scopes.