Google Workspace
1. Create an OAuth 2.0 client
Section titled “1. Create an OAuth 2.0 client”- Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID
- Application type: Web application
- Authorised redirect URIs:
https://tappass.example.com/sso/callback
Note the Client ID and Client Secret.
2. Configure OAuth consent screen
Section titled “2. Configure OAuth consent screen”- User type: Internal (Workspace users only)
- Scopes:
openid,email,profile
3. Configure TapPass
Section titled “3. Configure TapPass”GOOGLE_CLIENT_ID=<client-id>.apps.googleusercontent.comGOOGLE_CLIENT_SECRET=<client-secret>GOOGLE_ALLOWED_DOMAINS=yourcompany.comOr:
sso: provider: google client_id: "${GOOGLE_CLIENT_ID}" client_secret: "${GOOGLE_CLIENT_SECRET}" allowed_domains: - yourcompany.com hd: yourcompany.com # restrict to this Workspace domainThe hd parameter forces the Google consent screen to only show users from that domain.
Group membership
Section titled “Group membership”Google Workspace doesn’t include groups in the OIDC token by default. Two options:
Option A — Admin SDK
Section titled “Option A — Admin SDK”Give the TapPass server a Workspace service account with admin.directory.group.readonly scope. TapPass queries the Admin SDK at login time to resolve groups.
sso: provider: google service_account_file: /etc/tappass/gws-sa.json impersonate_subject: admin@yourcompany.com role_mapping: "tappass-admins@yourcompany.com": admin "tappass-viewers@yourcompany.com": viewerOption B — Email → role mapping
Section titled “Option B — Email → role mapping”For small teams, skip groups and map individual emails:
sso: user_role_mapping: alice@yourcompany.com: admin bob@yourcompany.com: viewerRestricting to Workspace
Section titled “Restricting to Workspace”Set hd and allowed_domains to the same value to ensure only Workspace users in that domain can log in. Personal Gmail accounts are rejected.