Google OIDC

You'll learn how to register redirect URIs in Google Cloud and create the connection in SqlOS.

Redirect URI#

The default hosted provider callback path is:

TEXT

https://your-app.example.com/sqlos/auth/oidc/callback

For local development with the default SqlOS base path:

TEXT

http://localhost:5062/sqlos/auth/oidc/callback

Create the OIDC connection in SqlOS first, then copy the dashboard callback URI into Google Cloud.

Google Cloud setup#

Open Google Cloud Console.
Create or select a project and configure the OAuth consent screen.
Create an OAuth client ID (Web application).
Add the SqlOS callback URI from the dashboard.
Copy the client ID and client secret.

SqlOS dashboard setup#

Open /sqlos/admin/auth/oidc on your running app.
Create a connection:
- Provider: Google
- Display name: shown on the login button
- Client ID and client secret from Google
Save, then update Google's redirect URIs with the exact callback shown by the dashboard.
Enable the connection.

Default scopes when left empty: openid, email, profile.

API setup (optional)#

BASH

curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections \
  -H "Content-Type: application/json" \
  -d '{
    "providerType": "google",
    "displayName": "Google",
    "clientId": "YOUR_CLIENT_ID.apps.googleusercontent.com",
    "clientSecret": "YOUR_CLIENT_SECRET"
  }'

BASH

curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections/{id}/enable

Test#

Open your app login or /sqlos/auth/login.
Enter an email and choose Continue with Google.
Complete Google sign-in and confirm your app receives tokens.

Common failures#

Error	Fix
`redirect_uri_mismatch`	Google Console must list the exact SqlOS callback URL
Callback not allowed in SqlOS	Update the connection’s allowed callback list
Unverified email	Google must return a verified email for linking

Home realm discovery

If the email domain matches an org SAML connection, SqlOS starts SSO instead of Google. See Home realm discovery.

Next steps#

Redirect URI#

The default hosted provider callback path is:

TEXT

https://your-app.example.com/sqlos/auth/oidc/callback

For local development with the default SqlOS base path:

TEXT

http://localhost:5062/sqlos/auth/oidc/callback

Create the OIDC connection in SqlOS first, then copy the dashboard callback URI into Google Cloud.

SqlOS dashboard setup#

Open /sqlos/admin/auth/oidc on your running app.

Create a connection:

Provider: Google
Display name: shown on the login button
Client ID and client secret from Google

Save, then update Google's redirect URIs with the exact callback shown by the dashboard.

Enable the connection.

Default scopes when left empty: openid, email, profile.

API setup (optional)#

BASH

curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections \
  -H "Content-Type: application/json" \
  -d '{
    "providerType": "google",
    "displayName": "Google",
    "clientId": "YOUR_CLIENT_ID.apps.googleusercontent.com",
    "clientSecret": "YOUR_CLIENT_SECRET"
  }'

BASH

curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections/{id}/enable

Common failures#

Error

Fix

redirect_uri_mismatch

Google Console must list the exact SqlOS callback URL

Callback not allowed in SqlOS

Update the connection’s allowed callback list

Unverified email

Google must return a verified email for linking

Home realm discovery

If the email domain matches an org SAML connection, SqlOS starts SSO instead of Google. See Home realm discovery.

Sign in with Google

Redirect URI#

Google Cloud setup#

SqlOS dashboard setup#

API setup (optional)#

Test#

Common failures#

Next steps#

Sign in with Google

Redirect URI#

Google Cloud setup#

SqlOS dashboard setup#

API setup (optional)#

Test#

Common failures#

Next steps#