Skip to main content
Version: 3.15.0

Set Up SSO with Google

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end users based on the authentication performed by the identity provider, as well as to obtain basic profile information about end users in an interoperable and REST-like manner.

Google Identity offers a suite of identity and access management tools, enabling secure user authentication and access control. With APISIX and Google, you can implement OIDC-based authentication processes to protect your APIs and enable single sign-on (SSO).

The guide will show you how to integrate APISIX with Google's OAuth 2.0 APIs to implement SSO, using the authorization code flow.

Prerequisite(s)

Configure Google Credentials

Go to the Credentials page in Google API console and create a new credential of type OAuth client ID:

Google OAuth create OAuth client ID

Configure the details for the client:

  • Select the Web application as the Application type.
  • Enter the name of the client, for example, apisix.
  • Enter the callback URL http://localhost:9080/anything/callback.
Enter client details

Finish the creation.

Copy the generated client ID and secret:

The generated client ID and secret

Save the client ID and secret to environment variables:

# replace with your values
export OIDC_CLIENT_ID=590838497384-v1v8tta846d4iki47kuaa5mompqio.apps.googleusercontent.com
export OIDC_CLIENT_SECRET=bSaINfMk1YknmtXvo8lKkfeY0iwpr9c0

Create a Route in APISIX

Create a route with openid-connect plugin as such:

curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
  "id": "auth-with-oidc",
  "uri":"/anything/*",
  "plugins": {
    "openid-connect": {
      "bearer_only": false,
      "session": {
        "secret": "f86cf31663a9c9fa0a28c2cc78badef1"
      },
      "client_id": "'"$OIDC_CLIENT_ID"'",
      "client_secret": "'"$OIDC_CLIENT_SECRET"'",
      "discovery": "https://accounts.google.com/.well-known/openid-configuration",
      "scope": "openid profile",
      "redirect_uri": "http://localhost:9080/anything/callback"
    }
  },
  "upstream":{
    "type":"roundrobin",
    "nodes":{
      "httpbin.org:80":1
    }
  }
}'

bearer_only: Set to false for authorization code grant.

session.secret: Replace with your key used for session encryption and HMAC operation. Required when bearer_only is false.

client_id: Google OAuth client ID.

client_secret: Google OAuth client secret.

discovery: URI to Google discovery document.

redirect_uri: URI to redirect to after authentication with Google OAuth.

Verify

Navigate to http://localhost:9080/anything/test in browser. You should be redirected to Google's log-in page:

log in with Google

Once logged in, the request will be forwarded to httpbin.org and you should see a response similar to the following in browser:

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "text/html..."
    ...
  },
  "json": null,
  "method": "GET",
  "origin": "127.0.0.1, 122.71.24.81",
  "url": "http://127.0.0.1/anything/test"
}

Next Steps

APISIX supports the integration with more OIDC identity providers, such as Keycloak, Authgear, Microsoft Entra ID, and Auth0.

In addition, APISIX also supports built-in authentication approaches such as key authentication, basic authentication, JWT authentication, and HMAC authentication.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation