Follow the steps below to configure Google Workspace for integration with Verax.
This setup includes:
An OIDC application for authentication
A Service Account with Domain-Wide Delegation for directory access
Before You Begin
Ensure you have:
Google Workspace Admin access
Access to Google Cloud Console
Permission to enable APIs and manage OAuth credentials
Part 1: Configure the OIDC Application
Step 1: Enable the Admin SDK API
Verax requires access to Google Directory data.
Open the Google Cloud Console.
Navigate to APIs & Services > Library.
Search for Admin SDK API.
Click Enable.
Important: If this API is not enabled, directory scopes will not appear later.This allows Verax to authenticate users via Google Workspace.
Step 2: Configure the OAuth Consent Screen
This defines your application identity and limits access to internal users.
A. Branding
Go to APIs & Services > OAuth consent screen.
Click Get Started or Edit App.
Set:
App name:
VeraxUser support email: your admin email
Developer contact email: your email
(Optional) Upload a logo.
Click Save and Continue.
B. Audience
Select Internal as User Type.
This ensures only users in your Workspace can authenticate.Click Save and Continue.
C. Data Access (Scopes)
Click Add or Remove Scopes.
Add the following scopes:
For OIDC Identity:
openidhttps://www.googleapis.com/auth/userinfo.emailhttps://www.googleapis.com/auth/userinfo.profile
For Groups:
https://www.googleapis.com/auth/admin.directory.group.readonly
Click Update.
Click Save and Continue.
If directory scopes are not visible, confirm that the Admin SDK API is enabled.
Step 3: Create the OAuth Client
Navigate to APIs & Services > Credentials.
Click Create Credentials > OAuth Client ID.
Select Web application.
Name the client (e.g.,
Verax).Under Authorized Redirect URIs, add:
https://internal.verax.ai/oidc/callback
Click Create.
Save the generated:
Client ID
Client Secret
These values will be entered into Verax.
Part 2: Configure the Service Account
This allows Verax to read user and group directory data.
Step 1: Create the Service Account
In Google Cloud Console, go to IAM & Admin > Service Accounts.
Click Create Service Account.
Name it (e.g.,
verax-service).Click Create and Continue.
Click Done (no IAM roles needed at this stage).
Copy the Unique ID (OAuth 2 Client ID) of the service account. You will need this later.
Step 2: Generate the Private Key
Click the service account email.
Go to the Keys tab.
Click Add Key > Create new key.
Select JSON.
Click Create.
A .json file will download.
This file contains the private key required for service authentication. Store it securely.
Step 3: Enable Domain-Wide Delegation
Permissions must be granted in the Google Workspace Admin Console.
Open the Google Admin Console.
Navigate to:
Security > Access and data control > API controls
Click Manage Domain Wide Delegation.
Click Add new.
Enter:
Client ID:
Paste the Service Account Unique ID from Step 1.
OAuth Scopes:
Paste the following (as-is):
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonlyAdmin Impersonation Requirement
To perform directory lookups, Verax must impersonate a Google Workspace admin account with sufficient privileges to read users and groups.
Recommended Approach
Create a dedicated service admin account (for example, verax-svc-auth-manager@mydomain.com) and assign it only the required read-only directory roles.
This ensures:
Clear audit separation between automated system actions and human administrator activity
Improved audit log clarity in Google Admin logs
Alternative
You may provide an existing admin account with sufficient read privileges. However, this may reduce audit transparency.
Completion
Once completed, provide Verax with:
OAuth Client ID
OAuth Client Secret
Service Account JSON file
Admin Email to Impersonate (a Google Workspace admin account with read-only directory privileges)
Verax will now be able to:
Authenticate users via OIDC
Retrieve user and group directory data