go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-04-04 22:34:22 +02:00
Code Issues Releases Activity
oauth2-proxy/docs/next/configuration/providers/google/index.html

30 lines
25 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-configuration/providers/google" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.3">
<title data-rh="true">Google (default) | OAuth2 Proxy</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/google"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Google (default) | OAuth2 Proxy"><meta data-rh="true" name="description" content="For Google, the registration steps are:"><meta data-rh="true" property="og:description" content="For Google, the registration steps are:"><link data-rh="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-rh="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/google"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/google" hreflang="en"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/google" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.4014daec.css">
<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.797195fe.js" as="script">
<link rel="preload" href="/oauth2-proxy/assets/js/main.1106c429.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--light_HNdA"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/providers/google">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.5.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.4.x/">7.4.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.3.x/">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></button></div><div class="searchBox_ZlJk"><div class="navbar__search searchBarContainer_NW3z"><input placeholder="Search" aria-label="Search" class="navbar__search-input"><div class="loadingRing_RJI3 searchBarLoadingRing_YnHq"><div></div><div></div><div></div><div></div></div><div class="searchHintContainer_Pkmr"><kbd class="searchHint_iIMx">ctrl</kbd><kbd class="searchHint_iIMx">K</kbd></div></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" href="/oauth2-proxy/docs/next/configuration/overview">Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/">OAuth Provider Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;OAuth Provider Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/google">Google (default)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/azure">Azure</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/adfs">ADFS</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/facebook">Facebook</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/github">GitHub</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/gitea">Gitea</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/keycloak">Keycloak</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc">Keycloak OIDC</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/gitlab">GitLab</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/linkedin">LinkedIn</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/azure_ad">Microsoft Azure AD</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/openid_connect">OpenID Connect</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/login_gov">Login.gov</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/nextcloud">NextCloud</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/digitalocean">DigitalOcean</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/bitbucket">BitBucket</a></li></ul></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/features/endpoints">Features</a><button aria-label="Toggle the collapsible sidebar category &#x27;Features&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/community/security">Community</a><button aria-label="Toggle the collapsible sidebar category &#x27;Community&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/contribution">Contribution Guide</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->OAuth2 Proxy<!-- --> <b>Next</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/oauth2-proxy/docs/">latest version</a></b> (<!-- -->7.5.x<!-- -->).</div></div><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/oauth2-proxy/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/oauth2-proxy/docs/next/configuration/overview"><span itemprop="name">Configuration</span></a><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/oauth2-proxy/docs/next/configuration/providers/"><span itemprop="name">OAuth Provider Configuration</span></a><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Google (default)</span><meta itemprop="position" content="3"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next</span><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Google (default)</h1></header><p>For Google, the registration steps are:</p><ol><li>Create a new project: <a href="https://console.developers.google.com/project" target="_blank" rel="noopener noreferrer">https://console.developers.google.com/project</a></li><li>Choose the new project from the top right project dropdown (only if another project is selected)</li><li>In the project Dashboard center pane, choose <strong>&quot;APIs &amp; Services&quot;</strong></li><li>In the left Nav pane, choose <strong>&quot;Credentials&quot;</strong></li><li>In the center pane, choose <strong>&quot;OAuth consent screen&quot;</strong> tab. Fill in <strong>&quot;Product name shown to users&quot;</strong> and hit save.</li><li>In the center pane, choose <strong>&quot;Credentials&quot;</strong> tab.<ul><li>Open the <strong>&quot;New credentials&quot;</strong> drop down</li><li>Choose <strong>&quot;OAuth client ID&quot;</strong></li><li>Choose <strong>&quot;Web application&quot;</strong></li><li>Application name is freeform, choose something appropriate</li><li>Authorized JavaScript origins is your domain ex: <code>https://internal.yourcompany.com</code></li><li>Authorized redirect URIs is the location of oauth2/callback ex: <code>https://internal.yourcompany.com/oauth2/callback</code></li><li>Choose <strong>&quot;Create&quot;</strong></li></ul></li><li>Take note of the <strong>Client ID</strong> and <strong>Client Secret</strong></li></ol><p>It&#x27;s recommended to refresh sessions on a short interval (1h) with <code>cookie-refresh</code> setting which validates that the
account is still authorized.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="restrict-auth-to-specific-google-groups-on-your-domain-optional">Restrict auth to specific Google groups on your domain. (optional)<a href="#restrict-auth-to-specific-google-groups-on-your-domain-optional" class="hash-link" aria-label="Direct link to Restrict auth to specific Google groups on your domain. (optional)" title="Direct link to Restrict auth to specific Google groups on your domain. (optional)"></a></h4><ol><li><p>Create a <a href="https://developers.google.com/identity/protocols/OAuth2ServiceAccount" target="_blank" rel="noopener noreferrer">service account</a> and configure it
to use <a href="#using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended">Application Default Credentials / Workload Identity / Workload Identity Federation (recommended)</a> or,
alternatively download the JSON.</p></li><li><p>Make note of the Client ID for a future step.</p></li><li><p>Under &quot;APIs &amp; Auth&quot;, choose APIs.</p></li><li><p>Click on Admin SDK and then Enable API.</p></li><li><p>Follow the steps on <a href="https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account" target="_blank" rel="noopener noreferrer">https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account</a>
and give the client id from step 2 the following oauth scopes:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">https://www.googleapis.com/auth/admin.directory.group.readonly</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">https://www.googleapis.com/auth/admin.directory.user.readonly</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Follow the steps on <a href="https://support.google.com/a/answer/60757" target="_blank" rel="noopener noreferrer">https://support.google.com/a/answer/60757</a> to enable Admin API access.</p></li><li><p>Create or choose an existing administrative email address on the Gmail domain to assign to the <code>google-admin-email</code>
flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from
step 5 for the reason why.</p></li><li><p>Create or choose an existing email group and set that email to the <code>google-group</code> flag. You can pass multiple instances
of this flag with different groups and the user will be checked against all the provided groups.</p></li></ol><p>(Only if using a JSON file (see step 1))
9. Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and
set the path to the file in the <code>google-service-account-json</code> flag.
10. Restart oauth2-proxy.</p><p>Note: The user is checked against the group members list on initial authentication and every time the token is
refreshed ( about once an hour ).</p><h5 class="anchor anchorWithStickyNavbar_LWe7" id="using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended">Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)<a href="#using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended" class="hash-link" aria-label="Direct link to Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)" title="Direct link to Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)"></a></h5><p>oauth2-proxy can make use of <a href="https://cloud.google.com/docs/authentication/application-default-credentials" target="_blank" rel="noopener noreferrer">Application Default Credentials</a>.
When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC
can be leveraged through a feature called Workload Identity. Follow Google&#x27;s <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity" target="_blank" rel="noopener noreferrer">guide</a>
to set up Workload Identity.</p><p>When deployed outside of GCP, <a href="https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif" target="_blank" rel="noopener noreferrer">Workload Identity Federation</a> might be an option.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/google.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/oauth2-proxy/docs/next/configuration/providers/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">OAuth Provider Configuration</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/oauth2-proxy/docs/next/configuration/providers/azure"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Azure</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2024 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/assets/js/runtime~main.797195fe.js"></script>
<script src="/oauth2-proxy/assets/js/main.1106c429.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink