TapTallyTapTally
HomeUser GuideDeploymentArchitectureSourcesAdvanced
GitHub

Configure Google SSO

Let users sign in with Google — create OAuth credentials and point TapTally at them.

TapTally supports Sign in with Google alongside email/password login. Enabling it is a backend configuration change: you create an OAuth Client ID in Google Cloud and set it on the backend. Nothing secret is stored, and the frontend needs no rebuild — it discovers the setting at runtime.

How it works: the login screen shows a Google button that returns a signed ID token; the backend verifies that token against Google's public keys (checking the audience matches your client ID) and then issues the usual TapTally session. A Google client secret is not required.

1. Create Google OAuth credentials

In the Google Cloud Console:

  1. Create (or select) a project.
  2. Open APIs & Services → OAuth consent screen and configure it. Choose External for a public deployment, or Internal to restrict sign-in to your Google Workspace org.
  3. Open APIs & Services → Credentials → Create Credentials → OAuth client ID.
  4. Choose application type Web application.
  5. Under Authorized JavaScript origins, add the origin(s) where the TapTally frontend is served — for example http://localhost:5173 for local development and https://taptally.example.com for production. (No redirect URI is needed for the sign-in button.)
  6. Create the client and copy the Client ID (it ends in .apps.googleusercontent.com).

Add every origin your frontend is served from. Google rejects the sign-in attempt if the page origin is not in this list.

2. Configure the backend

Set the Client ID on the backend. Any value can be provided as a TAPTALLY_-prefixed environment variable (Secret) or in config.yaml (ConfigMap).

Parameter Description Default
config.google_client_id Google OAuth Web Client ID. Enables Google SSO when set. ""
config.google_allowed_domains Optional email-domain allowlist (comma-separated). Empty = allow all. ""

Environment variable form:

TAPTALLY_GOOGLE_CLIENT_ID=1234567890-abcdef.apps.googleusercontent.com
# Optional — restrict to one or more email domains:
TAPTALLY_GOOGLE_ALLOWED_DOMAINS=example.com,example.org

config.yaml form:

google_client_id: "1234567890-abcdef.apps.googleusercontent.com"
# Optional email-domain allowlist (empty = allow any Google account):
google_allowed_domains:
  - example.com
  - example.org

Restart the backend after changing the value.

3. Verify

  • Call the public config endpoint — it should report SSO as enabled:

    curl https://api.taptally.example.com/v1/auth/config
    # {"google_enabled": true, "google_client_id": "…apps.googleusercontent.com"}
  • Open the login screen: a Sign in with Google button now appears under the email/password form. Completing Google sign-in logs you straight into the dashboard.

Provisioning and account linking

  • The first time someone signs in with a Google-verified email, TapTally creates an account automatically.
  • If an account with that email already exists (for example a password account), Google sign-in links to it rather than creating a duplicate.
  • With google_allowed_domains set, only emails in the listed domains may sign in; everyone else is rejected.

Security notes

  • The Google ID token is verified server-side against Google's public keys, with the audience pinned to your google_client_id — a token minted for another app is rejected.
  • Only Google accounts whose email is verified are accepted.
  • No client secret is stored, and the client ID returned by /v1/auth/config is public by design (it is part of the OAuth flow).
  • Use google_allowed_domains to limit sign-in to your organization's domains.
  • Leaving google_client_id empty disables Google SSO entirely; email/password login is unaffected.

Found an issue in the docs? Open an issue on GitHub.

TapTally — You tap, we tally. Free & self-hosted · GPLv3

GitHubDocker HubSupport