Configuring Google OIDC
Wire Google Workspace as an additional sign-in provider on top of passkeys.
telark ships passkey-first auth. Google OIDC is an opt-in secondary path — useful when your org is already federated with Google Workspace and you want existing users to sign in without provisioning a passkey first.
The OIDC switch is off by default.
What you'll wire
Three sides to configure:
- A Google Cloud OAuth 2.0 Client ID on the Google side.
- The auth-service environment on the telark side.
- The GlobalConfig CRD to actually flip the switch.
1. Create the OAuth client in Google Cloud
In Google Cloud Console → APIs & Services → Credentials:
- Click Create credentials → OAuth client ID.
- Application type: Web application.
- Authorised JavaScript origins — add the public origin of
your dashboard (e.g.
https://telark.example.com). - Authorised redirect URIs — add the exact callback URL the
telark auth-service will receive on:
https://telark.example.com/auth/oidc/google/callback.
Copy the resulting Client ID and Client secret — both are needed for the telark side.
If you are on a Workspace tenant and want to restrict to a single
hosted domain, configure that on the OAuth consent screen — the
auth-service relies on the hd and email_verified claims in
the ID token.
2. Configure the auth-service
Set these environment variables on the auth-service deployment (typically via Helm values; see Reference → Helm values once the public install path lands):
| Variable | Value |
|---|---|
OIDC_GOOGLE_CLIENT_ID | The Client ID from step 1. |
OIDC_GOOGLE_CLIENT_SECRET | The Client Secret from step 1. |
OIDC_GOOGLE_REDIRECT_URL | Exact callback URL, must match Google. |
WEBAUTHN_RP_ID | Same effective domain as the dashboard (also required for passkeys). |
WEBAUTHN_RP_ORIGINS | Comma-separated, includes the dashboard origin. |
Mount the client secret from a Kubernetes Secret rather than hard-coding it into a values file.
Roll the auth-service deployment after the env update.
3. Flip the switch on the GlobalConfig CRD
OIDC is gated by spec.oidc.enabled on the GlobalConfig CRD.
Patch via the dashboard:
Settings → Insights & governance → Security → OIDC
Set:
- Enabled —
true. - Google Client ID — paste the Client ID you used in step 1 (the GlobalConfig holds it so the dashboard can render the Sign in with Google button without needing the auth-service to expose it).
The dashboard issues a PATCH /resources/globalconfig and the
new values take effect on the next page load.
If you would rather patch directly:
# globalconfig spec subset
spec:
oidc:
enabled: true
googleClientID: "<your-client-id>"4. Verify
- Sign out of the dashboard.
- On the login page, the Sign in with Google button should now be visible.
- Click it. The auth-service issues a state nonce and redirects
you to
accounts.google.com. - Authenticate with Google.
- Google redirects back to
/auth/oidc/google/callback?code=…&state=…. - The auth-service validates the state nonce, exchanges the
code for an ID token, verifies the
email_verifiedclaim, and:- Existing user — issues a telark session.
- New user — provisions a
Usercustom resource via the exporter, then issues a session.
You should land on the dashboard authenticated. The Settings →
Security page will show the session as originating from the
oidc-google identity provider.
Troubleshooting
- "OIDC is not configured" at
/auth/oidc/google/callback— eitherOIDC_GOOGLE_CLIENT_IDis unset on the auth-service orspec.oidc.enabled=falseon the GlobalConfig. Both must be true for the callback to proceed. - "redirect_uri_mismatch" from Google — the
OIDC_GOOGLE_REDIRECT_URLon the auth-service is not in the Authorised redirect URIs list on the OAuth client. They must match exactly (including trailing slash). - "email not verified" — the Google account's
email_verifiedclaim came back false. telark refuses to provision unverified emails. Fix the Google account, retry. - State nonce mismatch — usually a stale cookie. Clear the telark origin's cookies, retry.
Bootstrap admin via OIDC
You can use the OIDC flow to grant the first admin. Set
BOOTSTRAP_ADMIN_EMAIL on the auth-service to the email of the
Google account you want to bootstrap. The first time that email
signs in via either passkey enrolment or Google OIDC, the
auth-service assigns the Admin role on user provision.