From 6c4191b7e05ea2fdcd2173ecf3bf8c9b31da1517 Mon Sep 17 00:00:00 2001
From: Sourav Agrawal <souravagr01@gmail.com>
Date: Thu, 15 Jan 2026 23:53:13 +0530
Subject: [PATCH] update docs

Signed-off-by: Sourav Agrawal <souravagr01@gmail.com>
---
 docs/docs/configuration/providers/google.md | 23 ++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/docs/docs/configuration/providers/google.md b/docs/docs/configuration/providers/google.md
index 2cef7c2c..ecdc8d97 100644
--- a/docs/docs/configuration/providers/google.md
+++ b/docs/docs/configuration/providers/google.md
@@ -3,6 +3,8 @@ id: google
 title: Google (default)
 ---
 
+The Google provider uses OpenID Connect (OIDC) for authentication via Google's JWKS endpoint.
+
 ## Config Options
 
 | Flag                                            | Toml Field                                   | Type   | Description                                                                                                                                                                                 | Default                                             |
@@ -37,6 +39,12 @@ For Google, the registration steps are:
 It's recommended to refresh sessions on a short interval (1h) with `cookie-refresh` setting which validates that the 
 account is still authorized.
 
+### Scopes
+
+The Google provider requires the `openid` scope for OIDC ID token verification. If you configure a custom `--scope` without `openid`, it will be automatically appended to the custom scope.
+
+Default scope: `openid email profile`
+
 ### Groups Claim
 
 Google does not support a `groups` claim in ID tokens. To include groups information in the session, this provider needs access to the [Google Admin Directory API](https://developers.google.com/admin-sdk/directory). 
@@ -80,9 +88,14 @@ to set up Workload Identity.
 
 When deployed outside of GCP, [Workload Identity Federation](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif) might be an option.
 
+### Preferred Username
+
+By default, the Google provider extracts the `name` claim from the ID token as the preferred username.
+
 ##### Using Organization ID as Preferred Username (optional)
-By default, the google provider uses the google id as username. If you would like to use an organization id instead, you can set the `google-use-organization-id` flag to true.
-This requires that the service account used to query the Google Admin SDK has one of the following scopes granted in step 5 above: 
-- `https://www.googleapis.com/auth/admin.directory.user.readonly`, 
-- `https://www.googleapis.com/auth/admin.directory.user` 
-- `https://www.googleapis.com/auth/cloud-platform` 
+
+If you would like to use an organization id instead, you can set the `--google-use-organization-id` flag to `true`.
+This requires that the service account used to query the Google Admin SDK has one of the following scopes granted in step 5 above:
+- `https://www.googleapis.com/auth/admin.directory.user.readonly`
+- `https://www.googleapis.com/auth/admin.directory.user`
+- `https://www.googleapis.com/auth/cloud-platform`