You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration will allow any user with a Google account to login (if the Access policy allows them to reach the resource). Unlike the instructions for Google Workspace, the steps below will not allow you to pull group membership information from a Google Workspace account.
- Visit the Google Cloud Platform console. Create a new project.
- Name the project and click Create.
- On the project home page that loads, select
APIs & Services
from the sidebar and click Dashboard.
- You will first need to configure a consent screen. Click Configure Consent Screen at the top of the page.
- Choose
External
as the User Type. Since this application is not being created in a Google Workspace account, the only types of users are external.
- Name the application and add a support email (GCP will require you to add an email in your account).
You will also be prompted to input contact fields.
- In the
Scopes
section, we recommend adding theuserinfo.email
scope. This is not required for the integration to work, but will indicate to users authenticating what information is being gathered.
You do not need to add test users.
You can review the summary information and return to the dashboard at the bottom of the page.
- Return to the
APIs & Services
page and click + Create Credentials. SelectOAuth client ID
.
- Name the application.
- You will need to input your Cloudflare authentication domain. The domain will be structured in the following format:
https://<your-auth-domain-here>.cloudflareaccess.com
Input the authentication domain without any path in the Authorized JavaScript origins
section. In the Authorized redirect URIs section, input your authentication domain with the path below.
https://<your-auth-domain-here>.cloudflareaccess.com/cdn-cgi/access/callback
- Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should be kept securely and not shared. For the purposes of this tutorial, the secret field is kept visible. Copy both values.
- Navigate to the Cloudflare for Teams dashboard. In the
Authentication
page of the Access section, click + Add.
- Select
Google
.
- Input the Client ID and Client Secret fields generated previously. Click Save.
- You can now return to the list of identity providers in the
Authentication
page of the Cloudflare for Teams dashboard. Select Google Suite and click Test.
Your user identity should return.
Example API Config
{ "config": { "client_id": "<your client id>", "client_secret": "<your client secret", }, "type": "google", "name": "my example idp"}
export const _frontmatter = {"order":12}