Using Google OAuth in authentik as an Identity Provider
What is authentik?
authentik is an IdP (Identity Provider) and SSO (Single Sign On) platform that is built with security at the forefront of every piece of code, every feature, with an emphasis on flexibility and versatility.
authentik is often used to centralize authentication across all your applications. Using Google as an Identity Provider (IdP), we can leverage authentik to forward authentication to Google so we don't have to register and deregister users manually in authentik.
In this blog post, we will go through how to set up authentik to implement the following flow: 
We take a look at how to configure Google OAuth in authentik and create the respective Application and Provider to handle authentication to the Kube-API-Server. The Kube-API-Server is just taken as an example here. You can configure OAuth2/OIDC for every service where it is supported.
Prerequisites
Before starting, make sure you have:
- A running authentik instance (version
2023.xor higher recommended). - Administrator access in authentik.
- A Google account with access to the Google Cloud Console.
- HTTPS enabled on your authentik installation (Google requires valid HTTPS redirect URLs).
Step 1 - Create a Google OAuth Client
Go to https://console.cloud.google.com/.
Navigate to:
- APIs & Services -> Credentials
- Click Create Credentials -> OAuth Client ID
If prompted, configure the OAuth consent screen:
- Application Type: Web application
- App name: e.g., authentik
Add your domain under Authorized redirect URIs:
https://<authentik-domain>/source/oauth/callback/<slug-from-the-provider>/(Note the trailing/at the end).
The <slug-from-the-provider> will be created later in Step 2.
Save the configuration and note your:
- Client ID
- Client Secret
You’ll need both later in authentik.
Step 2 - Configure Google OAuth in authentik
Open your authentik dashboard.
Go to: Directory -> Federation and Social login
Click on Create.
Select Google OAuth Source.
Fill out the fields:
| Field | Value |
|---|---|
| Name | |
| Slug | google (This is <slug-from-the-provider>) |
| User matching mode | Use the user's email address, but deny enrollment [...] |
| Group matching mode | Link users on unique identifier |
| Protocol Settings > Consumer key | <your Google Client ID> |
| Protocol Settings > Consumer secret | <your Google Client Secret> |
| Protocol Settings > Scopes | openid email profile |
| Flow Settings > Authentication flow | default-source-authentication |
| Flow Settings > Enrollment flow | default-source-enrollment |
Click on Finish.
Step 3 - Create a Provider
Go to: Applications -> Providers
Click on Create.
Select OAuth2 / OpenID Provider. Click Next.
Fill out the fields:
| Field | Value |
|---|---|
| Provider Name | KubeAPI-Server |
| Slug | kubeapi-server |
| Protocol Settings > Client type | Decide if you want Confidential or Public |
| Protocol Settings > Redirect URIs/Origins | Insert your redirect URIs |
| Protocol Settings > Signing Key | Choose your own or authentik Self-signed Certificate |
| Advanced Flow Settings > Authentication flow | default-authentication-flow |
| Advanced Flow Settings > Invalidation flow | default-provider-invalidation-flow |
| Subject mode | Based on the User's Email |
| Include claims in id_token | yes |
Click on Finish.
Step 4 - Create an Application
Go to: Applications -> Applications
Click on Create.
Fill out the fields:
| Field | Value |
|---|---|
| Name | KubeAPI-Server |
| Slug | kubeapi-server |
| Provider | Select the previously created provider |
Click on Create.
Step 5 - Test
Now everything should be set up. Depending on the application you want to configure with OAuth you need to initiate the authentication process. In this example, we've used authentik to authenticate users for using the kubectl CLI locally to manage a remote Kubernetes cluster.
So in order to test our implementation, we simply execute:
kubectl get pods -A
The authentik dashboard opens with the Google logo at the bottom, allowing us to authenticate via Google OAuth and access the Kubernetes cluster with kubectl. 
Troubleshooting
DNS
The DNS name of the authentik URL (<authentik-domain>) must be resolvable not only from the machine executing kubectl. It must be resolvable from the machine running authentik too. This might be the case automatically in your environment, but it is worth checking twice:
dig +short <authentik-domain>
10.0.130.240
If the command above does not show any IP address, the DNS name resolution does not work correctly.
Caching Issues
When testing, you might get errors like "401 Unauthorized" unexpectedly. If this happens, try removing the OIDC login cache:
rm -rf ~/.kube/cache/oidc-login/
Callback URIs
Check the callback URIs twice if authentication does not work. Sometimes, the error message tells you what URI it expects and what it retrieves. A common mistake is the missing trailing /.