---
myst:
html_meta:
"description lang=en": "Google OpenID setup guide for Workspaces authentication."
"keywords": "Kasm, Google, OIDC, OpenID"
"property=og:locale": "en_US"
---
```{title} Google OpenID Setup
```
## Google OpenID Setup
```{include} /guide/oidc/warning.md
```
This guide walks through a basic setup allowing Google users to authenticate with your Kasm deployment.
```{note}
Google OpenID does not support OIDC Single Logout.
```
Reference Docs:
- <https://developers.google.com/identity/protocols/oauth2>
### Creating a Google OAuth App
1. Login to the Google Developer Console: <https://console.developers.google.com>
2. Select **OAuth consent screen**.
3. Select **External** then click **Create**.
```{warning}
In this example, we walk through creating an integration where any Google user can auth with the Kasm app. This is ideal for a public
facing deployment. Choose **Internal** if only user from your Google Workspaces corporate account should be allowed to authenticate.
```
```{figure} /images/oidc/google/oauth_consent_create.png
:align: center
**OAuth Consent**
```
4. Provide values for the **App Name** , **User support email**, and **Developer Contact email**.
5. In the **Authorized Domains** section, enter your deployment's top private domain (e.g {code}`example.com`).
6. Click **Save and Continue**.
```{figure} /images/oidc/google/oauth_consent_registration.png
:align: center
**App Registration**
```
7. Click **Add or Remove Scopes**.
8. In the **Update Selected Scopes** window check {code}`.../auth/userinfo.email` , then click Update.
```{figure} /images/oidc/google/oauth_consent_scopes.png
:align: center
**Update Selected Scopes**
```
09. Click **Save and Continue**.
10. Until the app is fully verified and published it can only be used to auth specific test accounts.
Click **Add Users** to authorize several test google accounts.
11. Click **Save and Continue**.
12. In the **APIs & Services** menu, select **Credentials**.
13. Select **Create Credentials**, then **OAuth client ID**.
```{figure} /images/oidc/google/select_oauth_client_id.png
:align: center
**Create Credentials**
```
14. Select {code}`Web Application` as the **Application type**, then give the client a name (e.g {code}`Kasm`).
15. Click **Add URI** in the **Authorized redirect URIs** section, and enter {code}`https://<kasm deployment hostname>/api/oidc_callback`.
16. Click **Create**.
```{figure} /images/oidc/google/create_oauth_client.png
:align: center
**Create OAuth Client**
```
17\. A dialogue will display with a **Client ID** and **Client Secret**. Save these values for the next configuration steps.
The JSON download will also include URLs needed for the next configuration steps.
```{figure} /images/oidc/google/client_secret.png
:align: center
**Client ID and Client Secret**
```
### Kasm OpenID Config
1. Log into the Kasm UI as an administrator.
2. Select **Access Management** -> **Authentication** -> **OpenID** -> **Add Config**.
3. Update the form with the following entries, using the **Client ID** and **Client Secret** gathered in the previous section.
```{eval-rst}
+-------------------------------------------+-----------------------------------------------------------+
| **Property** | **Value** |
+-------------------------------------------+-----------------------------------------------------------+
| **Enabled** | Checked |
+-------------------------------------------+-----------------------------------------------------------+
| **Display Name** | Continue with Google |
+-------------------------------------------+-----------------------------------------------------------+
| **Logo URL** | :code:`https://www.google.com/favicon.ico` |
+-------------------------------------------+-----------------------------------------------------------+
| **Auto Login** | Unchecked |
+-------------------------------------------+-----------------------------------------------------------+
| **Hostname** | <Empty> |
+-------------------------------------------+-----------------------------------------------------------+
| **Default** | Checked |
+-------------------------------------------+-----------------------------------------------------------+
| **Client ID** | <Client ID From Google OAuth App> |
+-------------------------------------------+-----------------------------------------------------------+
| **Client Secret** | <Client Secret from Google OAuth App> |
+-------------------------------------------+-----------------------------------------------------------+
| **Authorization URL** | :code:`https://accounts.google.com/o/oauth2/auth` |
+-------------------------------------------+-----------------------------------------------------------+
| **Token URL** | :code:`https://oauth2.googleapis.com/token` |
+-------------------------------------------+-----------------------------------------------------------+
| **User Info URL** | :code:`https://www.googleapis.com/oauth2/v1/userinfo` |
+-------------------------------------------+-----------------------------------------------------------+
| **Scope** | :code:`openid` |
| | :code:`https://www.googleapis.com/auth/userinfo.email` |
| | :code:`https://www.googleapis.com/auth/userinfo.profile` |
+-------------------------------------------+-----------------------------------------------------------+
| **Username Attribute** | :code:`email` |
+-------------------------------------------+-----------------------------------------------------------+
| **Groups Attribute** | Unchecked |
+-------------------------------------------+-----------------------------------------------------------+
| **Debug** | Unchecked |
+-------------------------------------------+-----------------------------------------------------------+
| **Redirect URL** | :code:`https://<Kasm hostname>/api/oidc_callback` |
+-------------------------------------------+-----------------------------------------------------------+
| **OpenID Connect Issuer** | Blank |
+-------------------------------------------+-----------------------------------------------------------+
| **Logout with OIDC Provider** | Unchecked |
+-------------------------------------------+-----------------------------------------------------------+
| **Enable OIDC SLO Frontchannel Endpoint** | Unchecked |
+-------------------------------------------+-----------------------------------------------------------+
```
```{figure} /images/oidc/google/kasm_oidc_configuration.webp
:align: center
**Kasm OIDC Configurations**
```
6. Click **Save** to save the changes.
### Google Login Test
1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.
```{figure} /images/oidc/google/login.webp
:align: center
**Login Screens**
```
2. Click **Continue with Google**.
3. The user is redirected to Google for auth.
```{figure} /images/oidc/google/authorization.png
:align: center
**Google Auth**
```
4. Upon completion, the user is logged into the Kasm app.