Integrate Keycloak and Google Workspace for Authentication
If you use Google Workspace for your corporate email, shared drive, calendar and such you can easily setup Keycloak to use THAT email/login for application authentication. Read on to see the steps we did at Soteria Software to tie our Google Workspace into our OpenRMF Professional demo site.
Step 1: Create a Google Application
You have to go to the Google Developers Console using your Google Workspace email (or other company email from Google Workspace). If you have multiple google accounts like I do, please make sure you select the correct one.
Click on the top area pointed to for the drop down and then click New Project in the top right of the pop up window. You can see we made an EKS one for this article.
When the form opens, fill in the Project Name, Organization, and Location. For us, the Organization and Location were our domain name soteriasoft.com.
Next click on the far top left menu button and choose the APIs & Services menu option. And then choose the Enabled APIs & services menu from that listing.
If this is your first one you may be asked to configure the consent screen. You can click the top right “Configure Consent Screen” button and set that up. We chose Internal on the OAuth consent screen so only people within our organization in Google Workspace can use the integration. Choose this option wisely if you select External. Then click Create to make this OAuth integration.
Configure the settings for your integration with your Application Name, the top level domain name, the homepage and your privacy link accordingly. Then click Save to finalize that configuration.
Now, back on the main page for Enabled APIs & services you can click Credentials from the main menu on the left (see below). Then click Create Credentials at the top to add a new configuration for this Keycloak setup. From the dropdown listing on Create Credentials, you should specify OAuth client ID.
Make this a Web Application for the type and then add a specific name for this integration you will know and remember. For the Authorized redirect URI you need to use something like https://<keycloak-main-url>/auth/realms/<realm-name>/broker/google/endpoint substituting your <keycloak-main-url> domain and <realm-name> accordingly. Then click Save.
Do not worry. You will see an example of this full redirect URI later when you setup Keycloak to verify the full path. And adjust if not 100% correct.
When you click the Save button, the screen reloads and you will receive a Client Id and Secret shown on the screen. You will need to use these in Keycloak in our next steps. So please copy those and put those in a save space off to the side.
Step 2: Configure Keycloak with your Google Application Information
Now in a separate browser tab, log into your Keycloak with your “admin” user and go to the Realm you want to use for the Google Workspace integration. Click on the Identity Providers menu option and choose Google from the listing (see below).
Note the Redirect URI in the screen that appears as that is what we referenced above in Step 1. You can copy that and compare again to the Google Developer Console we setup earlier just to be sure. Next, copy in the Client ID and Client Secret from the previous steps above we made. Then click the Save button.
Your new provider will be enabled and allow other advanced settings you can play with and adjust to control even further how this integrated login setup is used.
Step 3: Login with your new Google Workspace provider
Now you can log out of your application you configured to use this Keycloak realm if you were already logged in. Then go back to the Login page for that application. You should now see a “Google” button to login with your Google Workspace provider (see below).
Step 4: Allow people to log in and setup their Roles, Groups, and access
Let people click the Google button and log into your application. If they already have a login setup with the same email they may get a prompt like the below image. If valid, click the “Add to existing account” so you are linked up and ready to go. It will ask you to log in to verify your current account.
When people first login that have not, your Keycloak administrator may need to add proper Roles and such to the account for the login to actually work in your application setup with Keycloak for authentication. This will be application specific. Talk to your application administrator or developers for more information on that!
Step 5: Enjoy Your Integrated Login
That is it! Now you should be good to use your Google Workspace.
The other integrated providers are similar to this process but may not be 100% the same.
Additional Resources
This is a great article explaining this process as well: https://keycloakthemes.com/blog/how-to-setup-sign-in-with-google-using-keycloak