From 796d5d4b7ad1bd41c8a8c8cdd266debe1d6db856 Mon Sep 17 00:00:00 2001
From: DevelopmentCats <chris@dualriver.com>
Date: Tue, 12 Aug 2025 02:34:50 +0000
Subject: [PATCH 1/4] docs(oidc): add Google provider-specific guide and nav
 entry

Adds a concise guide for configuring Google as an OIDC provider, including refresh token params and icon/text hints. Updates docs nav to surface the page under OIDC Authentication.

Refs #13508.
---
 docs/admin/users/oidc-auth/google.md | 62 ++++++++++++++++++++++++++++
 docs/manifest.json                   |  5 +++
 2 files changed, 67 insertions(+)
 create mode 100644 docs/admin/users/oidc-auth/google.md

diff --git a/docs/admin/users/oidc-auth/google.md b/docs/admin/users/oidc-auth/google.md
new file mode 100644
index 0000000000000..a058d1c9b2ebd
--- /dev/null
+++ b/docs/admin/users/oidc-auth/google.md
@@ -0,0 +1,62 @@
+# Google authentication (OIDC)
+
+This guide shows how to configure Coder to authenticate users with Google using OpenID Connect (OIDC).
+
+## Prerequisites
+
+- A Google Cloud project with the OAuth consent screen configured
+- Permission to create OAuth 2.0 Client IDs in Google Cloud
+
+## Step 1: Create an OAuth client in Google Cloud
+
+1. Open Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
+2. Application type: Web application.
+3. Authorized redirect URIs: add your Coder callback URL:
+   - `https://coder.domain.com/api/v2/users/oidc/callback`
+4. Save and note the Client ID and Client secret.
+
+## Step 2: Configure Coder OIDC for Google
+
+Set the following environment variables on your Coder deployment and restart Coder:
+
+```env
+CODER_OIDC_ISSUER_URL=https://accounts.google.com
+CODER_OIDC_CLIENT_ID=<client id>
+CODER_OIDC_CLIENT_SECRET=<client secret>
+# Restrict to one or more email domains (comma-separated)
+CODER_OIDC_EMAIL_DOMAIN="example.com"
+# Standard OIDC scopes for Google
+CODER_OIDC_SCOPES=openid,profile,email
+# Optional: customize the login button
+CODER_OIDC_SIGN_IN_TEXT="Sign in with Google"
+CODER_OIDC_ICON_URL=/icon/google.svg
+```
+
+> [!NOTE]
+> The redirect URI must exactly match what you configured in Google Cloud.
+
+## Enable refresh tokens (recommended)
+
+Google uses auth URL parameters to issue refresh tokens. Configure:
+
+```env
+# Keep standard scopes
+CODER_OIDC_SCOPES=openid,profile,email
+# Add Google-specific auth URL params
+CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
+```
+
+After changing settings, users must log out and back in once to obtain refresh tokens.
+
+Learn more in [Configure OIDC refresh tokens](./refresh-tokens.md).
+
+## Troubleshooting
+
+- "invalid redirect_uri": ensure the redirect URI in Google Cloud matches `https://<your-coder-host>/api/v2/users/oidc/callback`.
+- Domain restriction: if users from unexpected domains can log in, verify `CODER_OIDC_EMAIL_DOMAIN`.
+- Claims: to inspect claims returned by Google, see guidance in the [OIDC overview](./index.md#oidc-claims).
+
+## See also
+
+- [OIDC overview](./index.md)
+- [Configure OIDC refresh tokens](./refresh-tokens.md)
diff --git a/docs/manifest.json b/docs/manifest.json
index ce03ef0ff2de1..bebf2fc6e54d8 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -416,6 +416,11 @@
 							"description": "Configure OpenID Connect authentication with identity providers like Okta or Active Directory",
 							"path": "./admin/users/oidc-auth/index.md",
 							"children": [
+            {
+              "title": "Google",
+              "description": "Configure Google as an OIDC provider",
+              "path": "./admin/users/oidc-auth/google.md"
+            },
 								{
 									"title": "Configure OIDC refresh tokens",
 									"description": "How to configure OIDC refresh tokens",

From 488cffd751cdcf8aa4fea82ee7ce2c3f4ae06bfa Mon Sep 17 00:00:00 2001
From: DevCats <christofer@coder.com>
Date: Tue, 12 Aug 2025 12:04:56 -0500
Subject: [PATCH 2/4] chore: update coder example url

Co-authored-by: Atif Ali <atif@coder.com>
---
 docs/admin/users/oidc-auth/google.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/admin/users/oidc-auth/google.md b/docs/admin/users/oidc-auth/google.md
index a058d1c9b2ebd..298497b27bebc 100644
--- a/docs/admin/users/oidc-auth/google.md
+++ b/docs/admin/users/oidc-auth/google.md
@@ -12,7 +12,7 @@ This guide shows how to configure Coder to authenticate users with Google using
 1. Open Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
 2. Application type: Web application.
 3. Authorized redirect URIs: add your Coder callback URL:
-   - `https://coder.domain.com/api/v2/users/oidc/callback`
+   - `https://coder.example.com/api/v2/users/oidc/callback`
 4. Save and note the Client ID and Client secret.
 
 ## Step 2: Configure Coder OIDC for Google

From fcf07b138ac3a91cf5afc576eb3e6a25d72bcbcf Mon Sep 17 00:00:00 2001
From: DevelopmentCats <christofer@coder.com>
Date: Tue, 12 Aug 2025 17:37:08 +0000
Subject: [PATCH 3/4] fix(docs): correct indentation in manifest

---
 docs/manifest.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/manifest.json b/docs/manifest.json
index bebf2fc6e54d8..fcd1b647077d2 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -416,11 +416,11 @@
 							"description": "Configure OpenID Connect authentication with identity providers like Okta or Active Directory",
 							"path": "./admin/users/oidc-auth/index.md",
 							"children": [
-            {
-              "title": "Google",
-              "description": "Configure Google as an OIDC provider",
-              "path": "./admin/users/oidc-auth/google.md"
-            },
+            					{
+              						"title": "Google",
+              						"description": "Configure Google as an OIDC provider",
+              						"path": "./admin/users/oidc-auth/google.md"
+            					},
 								{
 									"title": "Configure OIDC refresh tokens",
 									"description": "How to configure OIDC refresh tokens",

From f0c7f94ca225248b3428ac08ebd0ede986b07f24 Mon Sep 17 00:00:00 2001
From: DevelopmentCats <christofer@coder.com>
Date: Tue, 12 Aug 2025 17:53:49 +0000
Subject: [PATCH 4/4] chore: make gen

---
 docs/manifest.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/manifest.json b/docs/manifest.json
index fcd1b647077d2..6e943aa56f697 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -416,11 +416,11 @@
 							"description": "Configure OpenID Connect authentication with identity providers like Okta or Active Directory",
 							"path": "./admin/users/oidc-auth/index.md",
 							"children": [
-            					{
-              						"title": "Google",
-              						"description": "Configure Google as an OIDC provider",
-              						"path": "./admin/users/oidc-auth/google.md"
-            					},
+								{
+									"title": "Google",
+									"description": "Configure Google as an OIDC provider",
+									"path": "./admin/users/oidc-auth/google.md"
+								},
 								{
 									"title": "Configure OIDC refresh tokens",
 									"description": "How to configure OIDC refresh tokens",