|
| 1 | +--- |
| 2 | +title: OpenID Connect with Google |
| 3 | +description: Learn how to use Google SSO with Coder. |
| 4 | +--- |
| 5 | + |
| 6 | +This article walks you through setting up single sign-on to Coder using Google. |
| 7 | + |
| 8 | +Configuring |
| 9 | +[Coder's OpenID Connect](../../admin/access-control/index.md#openid-connect) |
| 10 | +feature requires you to provide three pieces of information from Google: |
| 11 | + |
| 12 | +- Client ID |
| 13 | +- Client Secret |
| 14 | +- Issuer |
| 15 | + |
| 16 | +This guide will show you how to set up an app on Google and obtain the |
| 17 | +information you need to provide to Coder. |
| 18 | + |
| 19 | +## Prerequisites |
| 20 | + |
| 21 | +Before proceeding, please ensure that you've |
| 22 | +[enabled and configured the Identity Platform](https://cloud.google.com/identity-platform/docs/web/oidc) |
| 23 | +for your Google Cloud account. |
| 24 | + |
| 25 | +## Step 1: Create the OAuth consent screen |
| 26 | + |
| 27 | +1. Navigate to your [GCP console](https://console.cloud.google.com). |
| 28 | + |
| 29 | +1. Go to **APIs & Services** > **OAuth consent screen**. Create a new app or |
| 30 | + edit an existing app, setting the following fields: |
| 31 | + |
| 32 | + - **App name** |
| 33 | + - **User support email** |
| 34 | + - App domains (at minimum, you must provide the **Application home page**) |
| 35 | + - Authorized domains (e.g. `coder.your-domain.com`) |
| 36 | + |
| 37 | +1. Click **Save and continue** to proceed. |
| 38 | + |
| 39 | +## Step 2: Create the OAuth Client |
| 40 | + |
| 41 | +1. Under **APIs & Services**, go to **Credentials**. |
| 42 | + |
| 43 | +1. Click **Create Credentials** and select **OAuth Client ID**. |
| 44 | + |
| 45 | +1. When prompted for your **Application type**, choose **Web Application**. |
| 46 | + |
| 47 | +1. Provide a **Name** for your application. |
| 48 | + |
| 49 | +1. Under **Authorized redirect URIs**, click **Add URI**, and provide your URI |
| 50 | + (e.g. `coder.your-domain.com/oidc/callback`). |
| 51 | + |
| 52 | +1. Click **Create**. Google shows you both your **Client ID** and **Client |
| 53 | + Secret**; copy both values and save them, since you'll need to provide these |
| 54 | + Coder. |
| 55 | + |
| 56 | +## Step 3: Provide the OIDC credentials to Coder |
| 57 | + |
| 58 | +Now that you've registered an app, you can provide the relevant **Client ID**, |
| 59 | +**Client Secret**, and **Issuer** to Coder. |
| 60 | + |
| 61 | +1. Log into Coder, and go to **Manage** > **Admin** > **Authentication**. |
| 62 | + |
| 63 | +1. Toggle the top-most field to **OpenID Connect**. |
| 64 | + |
| 65 | +1. Provide the **Client ID** and **Client Secret** supplied by Google. |
| 66 | + |
| 67 | +1. For the **Issuer**, provide `accounts.google.com`. |
| 68 | + |
| 69 | +1. Click **Save preferences**. |
| 70 | + |
| 71 | +You can now use Google as an SSO provider with Coder. |
| 72 | + |
| 73 | +## Optional: Enable token refresh and redirect options |
| 74 | + |
| 75 | +If you'd like to enable session token refresh and define redirect options, set |
| 76 | +the following values in Coder's |
| 77 | +[Helm chart and update your deployment](helm-charts.md): |
| 78 | + |
| 79 | +```yaml |
| 80 | +oidc: |
| 81 | + enableRefresh: true |
| 82 | + redirectOptions: { access_type: offline, prompt: consent } |
| 83 | +``` |
0 commit comments