Accessing REST API with Google OAuth

Beginner here.

My organization’s instance of Metabase uses Google OAuth for signin. I want to figure out how I can send API calls to it and set it up so it automatically grabs a refreshed Google Auth token.

How would I go about this? Would I need my IT department to set up a Google API Service Account? If they do that, what would I do next?

Any documentation would be helpful.

-Michael

Hi @michaelkleban
Unless you’re hard set on using Google Auth, then you could just setup a regular non-Google user in Metabase, which uses email+password and that could be used for the API.
Also have a look at this topic: Metabase API Authentication

Thanks, Flamber. I will ask my security team if that’s possible. In case they require OAuth, do you know of any online resources you could point me to?

@michaelkleban You would need to do the authentication with /api/session/google_auth, which will return a session token that you’ll use in the header X-Metabase-Session. But I don’t know if you can do that programmatically with all the new much stricter cookie restrictions and Google’s protective measures.
If you check your browser developer console, then you can see every request send/received - almost everything you can do in the interface is also available in the API.

Alternatively, you can define an environment variable MB_API_KEY and pass the header X-Metabase-Apikey with the same value (I don’t remember testing this, so just writing from memory):
https://github.com/metabase/metabase/blob/6f271dbe7ec7598b6878dcdede88ffdfc68dcaac/docs/operations-guide/environment-variables.md#mb_api_key

@flamber - I seemed to have figured out how to obtain a refreshed Google OAuth token. When observing the Network tab of Chrome Dev Tools upon signing into Metabase, there is a call it makes to Google called “iframerpc?action=IssueToken…”. Simply copy the headers and url endpoint from that and it seems to work each time. The “id_token” element from that JSON response is your refreshed token. That can then be used in the api/session/google_auth call you mentioned.

1 Like