Using Google Workspace OAuth with Proxmox​

Chris Colotti July 22, 2025 Technology Leave a comment

I recently started playing a lot with Proxmox hosts.  Most folks know I am a fan of Cloudflare Tunnels as well.  Seeing these are externally available via tunnels as well as CloudFlare Zero Trust Access, I wanted to add OpenID Connect directly to the Proxmox web login for my Google Workspace account.  This same account is used with CloudFlare Access, so in effect I do have to log in twice, but the credentials, SSO, and subsequent MFA/Passkey are the same.  The first connection authenticates me to CloudFlare Zero Trust to get to the web UI and the second is the host login itself. This provides a layer of authentication that suits my needs. Below you will see how to set it up and it turned out to be very easy.

In Google Cloud Console

For Creating Credentials​

  1. Head to https://console.cloud.google.com/ and log in with the account you want to use for google auth
  2. In the pulldown at the top to the right of “Google Cloud” create a new one such as “Proxmox Auth”
  3. Select “API & Services” from Quick Access or the sandwich menu on the upper left
  4. Select “Credentials” and click “+ Create Credentials” and select “OAuth Client ID”
  5. For application type, select “Web Application” and give it a helpful name (see below if it asks you for a consent screen)
  6. For Authorized Javascript Origins, you’ll want to enter your full hostname with FQDN for Proxmox, e.g. https://proxmox.domain.com
    • These would be your external URL’s in Cloudflare Tunnels
  7. For Authorized redirect URIs, enter the page you actually access for Proxmox e.g. https://proxmox.domain.com
    • These would be your external URL’s in Cloudflare Tunnels
  8. Save.
  9. A window will pop up with a Client ID and Client Secret.  Not to worry you can come back for these later.

For Oauth Consent Screen​

  1. If at any point above you’re asked to create a consent screen, go ahead and click “Configure Consent Screen
    1. Generally this only happens if you’ve come to the credentials page again after the first time.
  2. Select the type of access. Internal means restricted to the workspace domain you’re currently using. (This is what I use to shrink the pool of potential logins). Click “Create
  3. Add an app name, pick an existing email for support, add a logo if you want.
  4. Add your host+FQDN as above (e.g. https://proxmox.domain.com) to App Domain
  5. you can leave the privacy policy and TOS links blank.
  6. Add your Authorized Domains. These must match the workspace account from which you’re logging in. These will likely autofill from your earlier domain entries.
  7. Add a developer email and click “Save and Continue

For Scopes​

  1. Click Data Access
  2. Click Add or Remove Scopes
  3. Add these to “Non-sensitive scopes”:
    1. ./auth/userinfo/.profile
    2. ./auth/userinfo/.email
    3. openid
  4. Select the checkboxes for the above scopes and click “Update
  5. click “Save and Continue”
  6. Review the summary and click “Back to Dashboard

In Proxmox

  1. Click on Datacenter in the tree
  2. Scroll down to Permissions, expand that subtree, and click Realms
  3. Click “Add” and select OpenID Connect Server
  4. Add the Issuer URL of https://accounts.google.com
  5. In the “Realm:” field, add something like “GoogleAuth” (You see this later when adding users)
  6. Paste the Client ID and Client Key (aka Client secret) from the Google credentials page.
  7. Do not check “autocreate users
  8. Select Username Claim of “email”
  9. For Scopes enter “email profile openid” (leaving spaces between scopes)
  10. For Prompt select “login”
  11. Select if you want this realm to be default and enter a useful comment.
  12. Leave ACR Values blank
  13. Click Add.

Adding users in Proxmox​

  1. Under the permissions subtree, select Users
  2. Click Add
  3. For the User Name enter the workspace account email address (e.g. [email protected] where the domain is the one setup above in google)
  4. Add the user to any groups and add any metadata you like here.
  5. Add the same email to the email field.
    • Proxmox will append “@<realmname>” to the username so it may look like [email protected]@GoogleAuth
  6. click Add

Groups and permissions​

  1. I added my primary google auth user as an admin. You can probably find better guides for this but in short:
  2. Click on Permissions
  3. Click Add, then User Permission
  4. For Path click /
  5. User: your new google auth [email protected]@googleauth
  6. Select a Role (e.g. Administrator)
  7. Click Add

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

Leave a Reply

Your email address will not be published. Required fields are marked *


© Copyright ChrisColotti.us 2026, All Rights Reserved.