Skip to content

Instantly share code, notes, and snippets.

@573dave

573dave/Portainer_Google_Oauth_SSO_OpenID.md

Created January 25, 2025 11:15
Show Gist options
  • Save 573dave/4d37824fcea9e3d697bae2cd922769ea to your computer and use it in GitHub Desktop.
Save 573dave/4d37824fcea9e3d697bae2cd922769ea to your computer and use it in GitHub Desktop.
Download ZIP
Portainer_Google_Oauth_SSO_OpenID
Raw
Portainer_Google_Oauth_SSO_OpenID.md

Updated 01/25/2025
If you don't have one, you'll need to setup a Google Project to get your Client ID and Secret. Create a project here
It will make you create a billing account, but using your project for only OAuth is free.

Then create your OAuth client here

Application typeWeb application
NamePortainer
Authorized JavaScript originshttps://yourportainersite.com
Authorized redirect URIshttps://yourportainersite.com
Click Save, then click the Pencil to edit your project. You'll need your Client ID and Client secret below.

In Portainer, under Settings > Authentication.
Method: OAuth
Provider: Custom

Client ID
Client secret
Authorization URLhttps://accounts.google.com/o/oauth2/v2/auth
Access token URLhttps://oauth2.googleapis.com/token
Resource URLhttps://openidconnect.googleapis.com/v1/userinfo
Logout URLhttps://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http:// ${YOUR_PORTAINER}
The logout URL is optional. If you use this one, be advised when you click Logout in Portainer, it will log you out of all Google services. I suggest leaving it blank.
User identifieremail
Scopesemail
Auth StyleAuto Detect
 Click Save settings.
Click User-related > Users.
Create a user with the Username matching your email address. Set the password to whatever.
Now logout, and you'll see the Google Login button.
If you run into issues, login with your prior account and double check the settings above, and your settings at the Google Console.

Google hosts their OpenID Configuration file [here](https://accounts.google.com/.well-known/openid-configuration)
@drdogbot7
Copy link

Just to be super clear, in case anybody else is dumb like me:

Your username must be exactly the same your google email address, otherwise you will get locked out. Unlike many applications, a portainer user account does not have a separate email address field, just a username. You don't have to create a new user; changing your username is sufficient.

If you lock yourself out:
You can log back in with the original admin account that was created at setup. You need to access your portainer instance at a special URL

https://[IP ADDRESS]:9443/#!/internal-auth

This did not work for me via the domain name I set up, only via IP address. It also took a few tries. Don't give up!
https://portal.portainer.io/knowledge/how-can-i-switch-back-to-internal-authentication

If you lost your original password, you can reset it by following these instructions. You need SSH access to your server.
https://docs.portainer.io/advanced/reset-admin

(accurate as of 6/11/25)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment