Google Cloud Console: OAuth2 App Setup
High Contrast
Dark Mode
Light Mode
Sepia
Forest
2 min read315 words

Google Cloud Console: OAuth2 App Setup

Before configuring Keycloak's Google Identity Provider, you need a Google OAuth2 application. This page walks through the Google Cloud Console setup.

Step 1: Create or Select a Google Cloud Project

  1. Go to console.cloud.google.com
  2. Click the project selector → New Project
  3. Name it (e.g., "MyApp Authentication")
  4. Click Create

Step 2: Enable the Google+ API / People API

In your project, navigate to APIs & Services → Library:

  1. Search for "Google People API"
  2. Click Enable

This API provides the user profile information (name, email, avatar) that Keycloak will use to populate user attributes.

Navigate to APIs & Services → OAuth consent screen:

  1. User Type: External (for production) or Internal (for G Suite org)
  2. Fill in required fields: - App name: Your application name - User support email: Your email - Developer contact: Your email
  3. Scopes: Add openid, email, profile
  4. Test users: Add your email (required while app is in "Testing" mode)
  5. Click Save and Continue

Step 4: Create OAuth2 Credentials

Navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID:

  1. Application type: Web application
  2. Name: "Keycloak Integration"
  3. Authorized redirect URIs: Add your Keycloak callback URL: http://localhost:8080/realms/YOUR_REALM/broker/google/endpoint For production: https://auth.yourdomain.com/realms/YOUR_REALM/broker/google/endpoint
  4. Click Create

Save the Client ID and Client Secret — you'll need these in Keycloak.

Redirect URI Pattern

The Keycloak callback URL for Google follows this pattern:

{keycloak-base-url}/realms/{realm-name}/broker/google/endpoint

Examples: - Dev: http://localhost:8080/realms/myrealm/broker/google/endpoint - Prod: https://auth.example.com/realms/myrealm/broker/google/endpoint

State Access User limit
Testing Only test users you've added 100 users
Production Any Google account Unlimited

To publish: Go to OAuth consent screen → Publish App → Submit for verification (required for external apps requesting sensitive scopes).

For openid, email, profile — these are non-sensitive scopes and don't require Google review.

Environment Variables

Store credentials securely, never in source code:

# .env (never commit this)
GOOGLE_CLIENT_ID=123456789-abc.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-secret-here

# Verify it works
curl "https://accounts.google.com/o/oauth2/v2/auth?client_id=${GOOGLE_CLIENT_ID}&redirect_uri=http://localhost:8080/realms/myrealm/broker/google/endpoint&response_type=code&scope=openid+email+profile"