Users attempting to configure Spotfire Web Player to access Google BigQuery reports must specify an OAuth 2.0 Redirect URI as part of the setup, as described in the Spotfire documentation (Enabling Google connectors in Spotfire web clients).

Problem: 

The Spotfire documentation specifies using https://<spotfire_server>/spotfire/wp/oauth2/code as the Redirect URI. However, customers often have internal Spotfire Servers (e.g., http://spotfire.test.org/) that are not publicly accessible and may only operate on HTTP. 

When attempting to use an HTTP-based URI like http://spotfire.test.org/spotfire/wp/oauth2/code, Google's OAuth validation will reject it.

Underlying Cause: 

Google's OAuth 2.0 validation rules mandate that Redirect URIs use the HTTPS scheme. Plain HTTP is only permitted for localhost URIs (including localhost IP address URIs). Any other Redirect URI submitted to Google Cloud Platform OAuth credentials must be HTTPS.

Internal Server Accessibility: 

An internal-only Spotfire Server setup is fully supported. The server itself does not require public internet access. However, during the OAuth authentication flow, the end-user's browser must be able to reach the configured Redirect URI (e.g., https://spotfire.test.org/spotfire/wp/oauth2/code) via the internal network or VPN.

All

To successfully configure Google BigQuery OAuth for Spotfire Web Player when your Spotfire Server is internal or uses HTTP, you must ensure the Redirect URI adheres to Google's HTTPS requirement.

1. Understand the HTTPS Requirement:
   
   
• Google OAuth 2.0 requires that your Redirect URI uses HTTPS. An HTTP URI (e.g., http://spotfire.test.org/spotfire/wp/oauth2/code) will be rejected by Google Cloud Platform.
• The correct format for the Redirect URI in Google Cloud Platform OAuth credentials will always begin with https://.
  
  
2. Choose a Configuration Option:
   
   
• Option 1: Enable HTTPS Directly on Your Spotfire Server
  
  
• If feasible, configure your Spotfire Server to use HTTPS directly. This involves obtaining and installing an SSL/TLS certificate for your server.
• Once HTTPS is enabled, update your server's base URL to https://<your_spotfire_server_host>/.
• In Google Cloud Platform OAuth credentials, use the following as the Redirect URI: https://<your_spotfire_server_host>/spotfire/wp/oauth2/code  
• Example: If your server is spotfire.test.org, the Redirect URI would be https://spotfire.test.org/spotfire/wp/oauth2/code.
  
  
• Option 2: Use a Reverse Proxy or Load Balancer for HTTPS Termination
  
  
• If enabling HTTPS directly on your Spotfire Server is not practical (e.g., your server only runs on HTTP internally), deploy a reverse proxy or load balancer in front of your Spotfire Server.
• Configure the reverse proxy/load balancer to handle HTTPS traffic (terminate SSL/TLS). It will present an HTTPS endpoint to external clients and then forward requests to your internal HTTP Spotfire Server.
• In Google Cloud Platform OAuth credentials, set the Redirect URI to the HTTPS endpoint exposed by your reverse proxy or load balancer.
• Example: If your Spotfire Server is http://spotfire.test.org/ internally, but your reverse proxy exposes https://spotfire.test.org/ to users, then the Redirect URI in Google Cloud Platform would be https://spotfire.test.org/spotfire/wp/oauth2/code. This setup is fully supported.
  
  
3. Ensure End-User Browser Accessibility:
   
   
• Regardless of the chosen option, verify that end-users' browsers can reach the configured HTTPS Redirect URI. This is crucial for the OAuth authentication flow to complete successfully. This typically means users must be within your internal network or connected via VPN to access the Spotfire Web Player and complete the Google authentication.

When configuring Google BigQuery data connections for Spotfire Web Player, the OAuth 2.0 Redirect URI must use HTTPS, even if your Spotfire Server is internal or primarily uses HTTP. This article clarifies Google's HTTPS requirement for Redirect URIs and provides solutions for connecting Spotfire Web Player to Google BigQuery in various network configurations.

DOC: Spotfire Analyst User's Guide - Enabling Web Clients for Google BigQuery:

• https://docs.tibco.com/pub/sfire-analyst/latest/doc/html/en-US/TIB_sfire_client/client/topics/en-US/connectors_google_enabling_web_clients.html 
  
  

DOC: Google Identity Platform - OAuth 2.0 for Web Server Applications (Redirect URI validation rules):

• https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation