Skip to content
Cloudflare Docs

Google

You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the Access policy allows them to reach the resource). Unlike the instructions for Google Workspace, the steps below will not allow you to pull group membership information from a Google Workspace account.

You do not need to be a Google Cloud Platform user to integrate Google as an identity provider with Cloudflare Zero Trust. You will only need to open the Google Cloud Platform to configure IdP integration settings.

Set up Google as an identity provider

  1. Log in to the Google Cloud Platform console. Create a new project, name the project, and select Create.

  2. On the project home page, go to APIs & Services and on the sidebar select Credentials.

  3. Select Configure Consent Screen.

    Location to configure a Consent Screen in the Google Cloud Platform console.

  4. To configure the consent screen:

    1. Select Get started.
    2. Enter an App name and a User support email.
    3. Choose External as the Audience Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can log in.
    4. Enter your Contact Information. Google Cloud Platform requires an email in your account.
    5. Agree to Google's user data policy and select Continue.
    6. Select Create.

  5. The OAuth overview page will load. On the OAuth overview screen, select Create OAuth client.

    Location to create an OAuth client in the Google Cloud Platform console.

  6. Choose Web application as the Application type and give your OAuth Client ID a name.

  7. Under Authorized JavaScript origins, in the URIs field, enter your team domain:

    https://<your-team-name>.cloudflareaccess.com

    You can find your team name in Zero Trust under Settings > Custom Pages.

  8. Under Authorized redirect URIs, in the URIs field, enter the following URL:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

  9. After creating the OAuth client, select the OAuth client that you just created. Google will present the OAuth Client ID value and Client secret value. The client secret field functions like a password and should not be shared. Copy both the OAuth Client ID value and Client secret value.

  10. In Zero Trust, go to Settings > Authentication.

  11. Under Login methods, select Add new. Choose Google on the next page.

  12. Input the Client ID (App ID in the Cloudflare dashboard) and Client Secret fields generated previously.

  13. (Optional) Enable Proof of Key Exchange (PKCE). PKCE will be performed on all login attempts.

  14. Select Save.

Test your connection

To test that your connection is working, go to Authentication > Login methods and select Test next to Google.

Example API Config

{
  "config": {
    "client_id": "<your client id>",
    "client_secret": "<your client secret>"
  },
  "type": "google",
  "name": "my example idp"
}

Troubleshooting

Error 401: deleted_client

If you deleted the OAuth client (or the OAuth client expired) in Google, you will receive a Error 401: deleted_client authorization error.

To fix this issue, complete steps 6 through 12 in the Google guide and steps 9 through 15 in the Google Workspace guide.