open-vault/website/content/docs/auth/jwt/oidc-providers/google.mdx

---
layout: docs
page_title: OIDC Provider Setup - Auth Methods - Google
description: OIDC provider configuration for Google
---

## Google

Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/OAuth2)

1. Visit the [Google API Console](https://console.developers.google.com).
1. Create or a select a project.
1. Navigate to Menu > APIs & Services
1. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
1. Configure the OAuth Consent Screen. Application Name is required. Save.
1. Select application type: "Web Application".
1. Configure Authorized [Redirect URIs](/vault/docs/auth/jwt#redirect-uris).
1. Save client ID and secret.

### Optional Google-specific Configuration

Google-specific configuration is available when using Google as an identity provider from the
Vault JWT/OIDC auth method. The configuration allows Vault to obtain Google Workspace group membership and
user information during the JWT/OIDC authentication flow. The group membership obtained from Google Workspace
may be used for Identity group alias association. The user information obtained from Google Workspace can be
used to copy claims data into resulting auth token and alias metadata via [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings).

#### Setup

To set up the Google-specific handling, you'll need:

- A Google Workspace account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
  for granting domain-wide delegation API client access.
- The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
- To enable the [Admin SDK API](https://console.developers.google.com/apis/api/admin.googleapis.com/overview).
- An OAuth 2.0 application with an [internal user type](https://support.google.com/cloud/answer/10311615#user-type).
  We **do not** recommend using an external user type since it would allow _any user_ with a
  Google account to authenticate with Vault.

The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses
Google Workspace Domain-Wide Delegation of Authority for authentication and authorization. You need to follow
**all steps** in the [guide](https://developers.google.com/workspace/guides/create-credentials#service-account)
to obtain the key file for a Google service account capable of making requests to the Google Workspace
[User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and
[Groups](https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups) APIs.

In **step 11** within the section titled
[Optional: Set up domain-wide delegation for a service account](https://developers.google.com/workspace/guides/create-credentials#optional_set_up_domain-wide_delegation_for_a_service_account),
the only OAuth scopes that should be granted are:

- `https://www.googleapis.com/auth/admin.directory.group.readonly`
- `https://www.googleapis.com/auth/admin.directory.user.readonly`

~> This is an **important security step** in order to give the service account the least set of privileges
that enable the feature.

#### Configuration

- `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
- `gsuite_service_account` `(string: <required>)` - Either the path to or the contents of a Google service
  account key file in JSON format. If given as a file path, it must refer to a file that's readable on
  the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped.
- `gsuite_admin_impersonate` `(string: <required>)` - Email address of a Google Workspace admin to impersonate.
- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from Google Workspace.
- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from Google Workspace using the configured [user_custom_schemas](#user_custom_schemas).
- `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
- `user_custom_schemas` `(string: <optional>)` - Comma-separated list of Google Workspace [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
  Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.

Example configuration:

```
vault write auth/oidc/config -<<EOF
{
    "oidc_discovery_url": "https://accounts.google.com",
    "oidc_client_id": "your_client_id",
    "oidc_client_secret": "your_client_secret",
    "default_role": "your_default_role",
    "provider_config": {
        "provider": "gsuite",
        "gsuite_service_account": "/path/to/service-account.json",
        "gsuite_admin_impersonate": "admin@gsuitedomain.com",
        "fetch_groups": true,
        "fetch_user_info": true,
        "groups_recurse_max_depth": 5,
        "user_custom_schemas": "Education,Preferences"
    }
}
EOF
```

#### Role

The [user_claim](/vault/api-docs/auth/jwt#user_claim) value of the role must be set to
one of either `sub` or `email` for the Google Workspace group and user information
queries to succeed.

Example role:

```
vault write auth/oidc/role/your_default_role \
    allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
    user_claim="sub" \
    groups_claim="groups" \
    claim_mappings="/Education/graduation_date"="graduation_date" \
    claim_mappings="/Preferences/shirt_size"="shirt_size"
```