Skip to main content
Star us on GitHub Star

Google Workspace

Google logo

This section illustrates where the expected values are found within the Google dashboards. There are at least two different consoles for Google, the Google Auth Platform and Google Cloud APIs & Services. For a more detailed guide on enabling Google with OpenZiti, see below. Use these values to configure an external JWT signer. All of these values are found from the client or credentials screen in the corresponding overview page.

warning

Most of the errors when using Google as an identity provider are due to selecting/using the wrong type of client. The only client type that currently works with OpenZiti is the Universal Windows Platform client type. If you use any of the other client types you will experience one sort of error or another. Also, only OpenZiti tunnelers will work with this configuration. Google does not function standalone with BrowZer or Ziti Admin Console (ZAC)

FieldWhere to Find the Value in the Google UIExample
IssuerThe issuer for all Google tokens is constant: https://accounts.google.comhttps://accounts.google.com
Client IDFound on the client/credentials screen264297154877-lni3d11teird99mhkmches566dmt0f3i.apps.googleusercontent.com
AudienceUnless overridden, the same value as the Client ID264297154877-lni3d11teird99mhkmches566dmt0f3i.apps.googleusercontent.com
External Auth URLThe same value as the Issuer. Always https://accounts.google.comhttps://accounts.google.com
JWKS EndpointSame value for all tokens. Found using the OpenID configuration URLhttps://www.googleapis.com/oauth2/v3/certs
Claims PropertyOften email, but can also be sub or any other claim contained in the JWTemail
Scopesopenid is always included. Often email but profile or any standard or custom scopeprofile offline_access

Create a Client/Credential

Google Auth Platform and Google Cloud APIs & Services both allow you to generate credentials or clients. Although the terminology changes, both are the same at the end. If you create a credential in the APIs & Services screen, it will appear in the Google Auth Platform as a client.

note

The screens shown below are from the Google Cloud APIs & Services console. If the screens do not look very close or identical you may be looking at the Google Auth Platform

Begin, by creating a credential. From the APIs & Services console, click on Credentials, Create Credentials and choose OAuth client ID:

Create a Client/Credential

Auth0 Applications

Select Credential Type

When creating a credential/client there are different types available to select. Depending on the OpenZiti tech you are trying to enable, you will need to select a different type. To enable authentication for BrowZer or the Ziti Admin Console (ZAC) you will need to select the Web application type. For use with an OpenZiti tunneler you will need to select Universal Windows Platform (UWP).

Begin by creating an application with provider. Go to the admin interface, on the left expand Applications, click on Applications an then click on Create with Provider and complete the wizard that pops up.

Universal Windows Platform (UWP)

Auth0 Applications

Web Application

Auth0 Applications

Common Errors With Google

If you are using any client type other than Universal Windows Platform (UWP) and trying to use Google with anything other than the OpenZiti tunnelers clients will likely experience errors. One such example is shown below.

Example error

{
"error": "invalid_request",
"error_description": "client_secret is missing."
}