Google OIDC Setup
Configure Dagu with Google as OIDC provider.
Deployment Model
This guide applies to self-hosted Dagu using builtin auth + OIDC. Hosted Dagu Cloud includes authentication features by default, so you do not configure Google OIDC through config.yaml there. See the pricing page for current self-host and cloud availability.
Prerequisites
- Google Cloud account or Google Workspace
- Access to Google Cloud Console
Setup Steps
1. Create OAuth 2.0 Client ID
- Go to Google Cloud Console
- Select or create a project
- Navigate to "APIs & Services" > "Credentials"
- Click "Create Credentials" > "OAuth client ID"
- Configure OAuth consent screen if prompted:
- User Type: Internal (for Google Workspace) or External
- Add required scopes: email, profile, openid
- Application type: "Web application"
- Add authorized redirect URI:For production:
http://localhost:8080/oidc-callbackhttps://dagu.example.com/oidc-callback - Save and copy the Client ID and Client Secret
2. Configure Dagu
YAML Configuration
yaml
# ~/.config/dagu/config.yaml
auth:
mode: builtin
builtin:
token:
secret: "replace-with-a-random-jwt-secret"
oidc:
client_id: "123456789012-abcdefghijklmnopqrstuvwxyz012345.apps.googleusercontent.com"
client_secret: "GOCSPX-1234567890abcdefghijklmno"
client_url: "http://localhost:8080"
issuer: "https://accounts.google.com"
scopes:
- "openid"
- "profile"
- "email"Environment Variables
bash
export DAGU_AUTH_MODE=builtin
export DAGU_AUTH_TOKEN_SECRET="replace-with-a-random-jwt-secret"
export DAGU_AUTH_OIDC_CLIENT_ID="123456789012-abcdefghijklmnopqrstuvwxyz012345.apps.googleusercontent.com"
export DAGU_AUTH_OIDC_CLIENT_SECRET="GOCSPX-1234567890abcdefghijklmno"
export DAGU_AUTH_OIDC_CLIENT_URL="http://localhost:8080"
export DAGU_AUTH_OIDC_ISSUER="https://accounts.google.com"
export DAGU_AUTH_OIDC_SCOPES="openid,profile,email"
dagu start-allGoogle Workspace Setup
Domain-Wide Access
For Google Workspace domains:
yaml
auth:
mode: builtin
builtin:
token:
secret: "replace-with-a-random-jwt-secret"
oidc:
client_id: "your-client-id"
client_secret: "your-secret"
client_url: "https://dagu.company.com"
issuer: "https://accounts.google.com"Specific User Access
yaml
auth:
mode: builtin
builtin:
token:
secret: "replace-with-a-random-jwt-secret"
oidc:
# ... google config ...
whitelist:
- "admin@company.com"
- "devops-team@company.com"
- "ci-bot@company.com"Production Configuration
yaml
# Production with HTTPS
auth:
mode: builtin
builtin:
token:
secret: "replace-with-a-random-jwt-secret"
oidc:
client_id: "your-production-client-id"
client_secret: "your-production-secret"
client_url: "https://dagu.example.com"
issuer: "https://accounts.google.com"
# Also enable TLS
tls:
cert_file: "/etc/ssl/dagu.crt"
key_file: "/etc/ssl/dagu.key"Testing
Start Dagu:
bashdagu start-allOpen browser to http://localhost:8080/login
Click Login with SSO
After login, you should be redirected back to Dagu as an authenticated user
Notes
- Google client IDs look like:
[numeric]-[random].apps.googleusercontent.com - Client secrets start with
GOCSPX-for newer applications - Google supports wildcard redirect URIs for localhost development
- Session duration is 24 hours
- Google issuer is always
https://accounts.google.com