Documentation v1.3.1

Google SSO Provider

This section explains how to configure Google as an SSO provider in Localtonet and make it available for your HTTP tunnels.

The setup consists of two main parts:

1. Creating OAuth credentials in Google Cloud

2. Adding the Google provider to Localtonet

Step 1: Create OAuth Credentials in Google Cloud

Before adding Google as an SSO provider in Localtonet, you must create OAuth credentials in Google Cloud.

1. Go to Google Cloud Console

2. Create a new project or select an existing one.

3. Navigate to: APIs & Services → Credentials

4. Click Create Credentials → OAuth client ID

5. If prompted, configure the OAuth consent screen:

   • User Type: External (recommended for most use cases)

   • Fill in required application details

   • Add scopes:

     • openid

     • email

     • profile

6. Create an OAuth Client ID:

   • Application type: Web application

   • Authorized redirect URI:

     http://auth.localtonet.com/auth/callback
     
     

7. Save the configuration and copy:

   • Client ID

   • Client Secret

You will use these values in the next step.

Step 2: Add Google Provider in Localtonet

1. Open the SSO Providers setting in HTTP Tunnel page

2. Click Add Provider

3. Fill in the provider details:

   • Provider Name
     Any descriptive name (e.g. Google, Company Google Login)

   • Provider Type
     Select Google

   • Client ID
     Paste the Client ID from Google Cloud

   • Client Secret
     Paste the Client Secret from Google Cloud

4. The following endpoints are pre-filled automatically for Google and should not be changed unless you have a specific reason:

   • Authorization Endpoint

     https://accounts.google.com/o/oauth2/v2/auth
     

   • Token Endpoint

     https://oauth2.googleapis.com/token
     

   • UserInfo Endpoint

     https://openidconnect.googleapis.com/v1/userinfo
     

   • Callback Path

     /auth/callback/google
     

5. (Optional) Configure Allowed Email Domains

   • Enter one domain per line (e.g. company.com)

   • Only users with matching email domains will be allowed to authenticate

6. Toggle Active to enable the provider.

7. Click Save.

Your Google SSO provider is now available for use.

Step 3: Enable Google SSO for an HTTP Tunnel

Adding a provider at account level does not automatically protect tunnels.
You must enable it per tunnel.

1. Open the HTTP Tunnel Settings for the tunnel you want to protect.

2. Navigate to SSO Providers → Manage.

3. Enable SSO for this tunnel.

4. Toggle Google to enable it for this tunnel.

5. Configure optional tunnel-level restrictions:

   • SSO Path(s) – paths that require authentication

   • Logout Path – logout endpoint for the tunnel

   • Allowed Domains / Emails / Usernames – additional access restrictions

6. Click Save Changes.

What Happens Next?

When a user accesses the tunnel URL:

1. The request is intercepted by the Localtonet authentication layer.

2. The user is redirected to Google for authentication.

3. After successful login, the user is redirected back to the tunnel.

4. Access is granted only if all provider and tunnel rules are satisfied.

Your local application remains unchanged and does not handle authentication.

Notes & Best Practices

• Use domain restrictions for internal or company-only tools

• Prefer Google SSO over Basic Auth for production environments

• You can enable multiple SSO providers for the same tunnel

• OAuth credentials can be rotated without affecting tunnel configuration