Google sign-in

Sign in with Google on self-hosted Proliferate.

On self-hosted Proliferate, Google sign-in runs through the OIDC SSO connection with Google as the identity provider. The desktop app's built-in sign-in methods are email and password and optional GitHub; when your SSO connection points at Google, the sign-in screen shows a Google SSO button (the button label comes from SSO_DISPLAY_NAME, so set it to "Google").

Set up

Create a Google OAuth client

In Google Cloud Console, open APIs & Services, then Credentials, and create an OAuth client ID of type Web application:

  • Authorized redirect URI: exactly https://<site>/auth/sso/oidc/callback

Copy the client ID and client secret.

Screenshot: Google Cloud Console, Create OAuth client ID form

The web-application OAuth client form with the /auth/sso/oidc/callback authorized redirect URI filled in.

Configure the server

Set the SSO connection in .env.static in your deploy bundle:

# .env.static
SSO_ENABLED=true
SSO_OIDC_ISSUER_URL=https://accounts.google.com
SSO_OIDC_CLIENT_ID=1234567890-abc.apps.googleusercontent.com
SSO_OIDC_CLIENT_SECRET=...
SSO_ALLOWED_DOMAINS=corp.example.com
SSO_JIT_POLICY=create_member
SSO_DISPLAY_NAME="Google"

Apply with ./update.sh (or restart the stack). SSO_JIT_POLICY decides who gets in:

  • disabled (the default): Google sign-in is off in practice.
  • existing_user: only emails that already have an account can sign in with Google.
  • create_member: accounts are created automatically on first sign-in, scoped to SSO_ALLOWED_DOMAINS.

Verify

Sign in from a desktop app pointed at your server: the sign-in screen shows the sign-in button labeled "Continue with Google", and completing the Google flow signs you in.

Screenshot: Desktop sign-in screen with the Google SSO button against a self-hosted server

The desktop sign-in screen showing the sign-in button labeled Continue with Google.

Warning:

With SSO_JIT_POLICY=create_member, SSO arrivals bypass the invitation allowlist: anyone with a Google account in your allowed domains gets an account on first sign-in. Set SSO_ALLOWED_DOMAINS to your organization's domains before enabling it.

The ADMIN_EMAILS admin floor is asserted on Google sign-ins like every other method. For the full SSO surface (login policy, display name, and the rest of the SSO_* variables), see OIDC SSO.

On this page