public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update docs 

Signed-off-by: Sourav Agrawal <souravagr01@gmail.com>
This commit is contained in:
Sourav Agrawal 2026-01-15 23:53:13 +05:30
parent c851c8671c
commit 6c4191b7e0
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/docs/configuration/providers/google.md
View File

@ -3,6 +3,8 @@ id: google
title: Google (default)
---
The Google provider uses OpenID Connect (OIDC) for authentication via Google's JWKS endpoint.
## Config Options
| Flag | Toml Field | Type | Description | Default |
@ -37,6 +39,12 @@ For Google, the registration steps are:
It's recommended to refresh sessions on a short interval (1h) with `cookie-refresh` setting which validates that the
account is still authorized.
### Scopes
The Google provider requires the `openid` scope for OIDC ID token verification. If you configure a custom `--scope` without `openid`, it will be automatically appended to the custom scope.
Default scope: `openid email profile`
### Groups Claim
Google does not support a `groups` claim in ID tokens. To include groups information in the session, this provider needs access to the [Google Admin Directory API](https://developers.google.com/admin-sdk/directory).
@ -80,9 +88,14 @@ to set up Workload Identity.
When deployed outside of GCP, [Workload Identity Federation](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif) might be an option.
### Preferred Username
By default, the Google provider extracts the `name` claim from the ID token as the preferred username.
##### Using Organization ID as Preferred Username (optional)
By default, the google provider uses the google id as username. If you would like to use an organization id instead, you can set the `google-use-organization-id` flag to true.
This requires that the service account used to query the Google Admin SDK has one of the following scopes granted in step 5 above:
- `https://www.googleapis.com/auth/admin.directory.user.readonly`,
- `https://www.googleapis.com/auth/admin.directory.user`
- `https://www.googleapis.com/auth/cloud-platform`
If you would like to use an organization id instead, you can set the `--google-use-organization-id` flag to `true`.
This requires that the service account used to query the Google Admin SDK has one of the following scopes granted in step 5 above:
- `https://www.googleapis.com/auth/admin.directory.user.readonly`
- `https://www.googleapis.com/auth/admin.directory.user`
- `https://www.googleapis.com/auth/cloud-platform`