Setting up Single Sign-On (SSO) with Google (OIDC)

This guide walks you through configuring Google as your OpenID Connect (OIDC) identity provider so your team can log into Clockk using their Google Workspace accounts.

1. Log in to Google Cloud Console

Go to https://console.cloud.google.com and sign in with an administrator account that can configure OAuth and credentials for your organization.

2. Create or select a Google Cloud project

  • Create a new project dedicated to SSO/integrations. In our own testing, we created a new Clockk OIDC SSO project.
  • Switch to the new project.
  • Click “Get started”

Alternatively, you can use an existing Google Cloud project. This documentation describes how to set up SSO using a new project rather than an existing one. If you prefer to use an existing project, we will assume you are already familiar with the Google Cloud interface and can infer the specific steps you need to take.

3. Configure the Project (OAuth Consent Screen)

  1. Under App Information:
    • App name: Clockk
    • Support email: (someone at your company who will support this integration)
  2. Under Audience:
    • Choose Internal
  3. Contact information:
    • Your email address
  4. Finish:
    • Agree to the terms

4. Configure project branding

At this point you’ve created the basic project, but you should do more to make Clockk recognizable and usable for your users.

  1. Under Branding:
    • App information is already set.
    • App logo: Upload the Clockk logo; you can download our logo at https://clockk.com/brand.
    • App domain: Application homepage is https://clockk.com. Privacy policy link is https://clockk.com/privacy-policy. Terms of service link is https://clockk.com/license-agreement.
    • Authorized domains: Enter the domain names you control, managed by your Google Workspace account, that you want to allow access to Clockk.

5. Create OAuth 2.0 client credentials

  1. Under Clients:
    • Click + Create client
    • Application type: Web application.
    • Name: Clockk
    • Authorized JavaScript origins: Enter https://app.clockk.com and https://clockk.com
    • Authorized redirect URIs: Enter https://ca-central.api.clockk.com/integration/google/install
    • Click Create to obtain your Client ID and Client Secret.

⚠️ Copy the Client ID (e.g. 1054820374309-nqol2har12nhos7339k4buj9v5rr2fia.apps.googleusercontent.com) and Client Secret (e.g. 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) and store them securely. Google will only show the client secret this one time.

   - **Scopes**: add the standard OIDC scopes `openid`, `email`, `profile`

6. Send your credentials to Clockk

Provide the following to your Clockk contact (securely):

  • Client ID
  • Client Secret
  • Issuer / Discovery URL: https://accounts.google.com
  • (Optional) Project ID

Clockk uses these values to complete the OIDC Authorization Code Flow and link your organization’s Google SSO to Clockk.

7. (Optional) Restrict access to your domain

To ensure only your organization can sign in:

  • Ask Clockk to restrict sign-ins to your domain (e.g., @yourcompany.com), and/or
  • In Google Cloud, use App access control / IAM to limit which users/groups can use the OAuth client.

8. Test and roll out

After Clockk confirms your Google OIDC profile is configured on our side:

  1. Go to the Clockk login page and click “Sign in with Google”.
  2. Authenticate with a company Google account.
  3. Verify Clockk creates/links the user correctly.

We can optionally provide a shortcut URL like yourcompany.clockk.com that sends users directly to your Google login, skipping the email step if they’re already signed in with Google.

Troubleshooting tips

  • Redirect URI mismatch: Ensure the URI in Google exactly matches the one provided by Clockk (scheme, host, path).
  • Forbidden user: Confirm domain restrictions (in Clockk and/or Google) include the tester’s account.
  • Invalid scope: Keep openid, email, profile and remove any unused/custom scopes.
  • Consent screen not published: Publish the OAuth consent screen (or add testers if still in draft).

What Clockk needs from you (recap)

  • Client ID
  • Client Secret (value)
  • Issuer/Discovery URL: https://accounts.google.com
  • (Optional) Domain(s) you want to allow: yourcompany.com

Questions or need a hand? Contact your Clockk representative and we’ll walk you through verification, redirect URIs, and domain restrictions.