Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Google

You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration will allow any user with a Google account to login (if the Zero Trust policy allows them to reach the resource). Unlike the instructions for Google Workspace, the steps below will not allow you to pull group membership information from a Google Workspace account.

Please note that you don't need to be a Google Cloud Platform user to integrate Google Suite as an identity provider with Cloudflare for Teams. You will only need to open the Google Cloud Platform to access settings for your OIDC identity provider.

  1. Visit the Google Cloud Platform console. Create a new project.

    Create Project

  2. Name the project and click Create.

    Name Project

  3. On the project home page that loads, select APIs & Services from the sidebar and click Dashboard.

    Name Project

  4. You will first need to configure a consent screen. Click Configure Consent Screen at the top of the page.

    Click Consent

  5. Choose External as the User Type. Since this application is not being created in a Google Workspace account, the only types of users are external.

    Choose External

  6. Name the application and add a support email (GCP will require you to add an email in your account).

    Name App

    You will also be prompted to input contact fields.

    Contact Fields

  7. In the Scopes section, we recommend adding the userinfo.email scope. This is not required for the integration to work, but will indicate to users authenticating what information is being gathered.

    Scopes

    You do not need to add test users.

    Test Users

    You can review the summary information and return to the dashboard at the bottom of the page.

    Summary

  8. Return to the APIs & Services page and click + Create Credentials. Select OAuth client ID.

    Create OAuth

  9. Name the application.

    Name OAuth

  10. Under Authorized JavaScript origins, in the URIs field, enter your team domain.

  11. Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

    Team Domain

  12. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should not be shared. For the purposes of this tutorial, the secret field is kept visible. Copy both values.

    Secret Field

  13. On the Teams dashboard, navigate to Settings > Authentication.

  14. Under Login methods, click Add new.

  15. Choose Google on the next page.

  16. Input the Client ID and Client Secret fields generated previously.

  17. Click Save.

To test that your connection is working, navigate to Authentication > Login methods and click Test next to Google.

Your user identity should return.

Connection Works

Example API Config

{
"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
},
"type": "google",
"name": "my example idp"
}
export const _frontmatter = {"order":12,"pcx-content-type":"how-to"}