In my web application I have implemented Google OAuth2 to connect to Google Sheets and that works just fine.
Now I distribute this web application to different users who use it on multiple websites. Each website needs to get the OAuth2 authorization and that is where I sort of not know what to do.
Let's say I have domain a.com, b.com and c.com and my Google account is me@gmail.com. In the Google console I create an OAuth2 Client ID and I add the 3 approved redirects for all 3 domains.
In a.com I enter my client ID and client secret and go through the authorization process and I get an access token, refresh token and some more data. If I now go to website b.com and do exactly the same, the credentials on website a.com will become invalid. That makes sense because the refresh token is on site b.com now.
So the other idea I had was to create 3 OAuth2 clients in the Google Console, one for each domain. However when I go through the authorization here, the refresh token seems to become invalid as well.
My final idea was, that I am going to need 3 different gmail accounts, one for each website and setup the OAuth client for each website in their respective accounts. This would then also mean that I will see 3 different consents in the connections overview at https://myaccount.google.com/connections
It just seems cumbersome to have to create a new gmail account every time a website is added.
What is the correct way to go about managing these authorizations?
Any insight is appreciated.
If these 3 sites are all properties you control, you should set up 1 central place that handles OAuth2 and find a different way for the resulting credentials to be shared across the 3 sites.
If these are all owned by different people, because maybe this is an on-premise installation, generally this kind of software always provides instructions per-installation on how they can set up their google account from scratch and get a unique client_id and client_secret.