Configure Google Workspace SSO (OAuth 2)

This guide explains how to configure Single Sign-On (SSO) using Google Workspace (or personal Google accounts) via the OAuth 2.0 protocol.

SSO is available on the Baserow Advanced and Enterprise plans. You must have a valid license activated to configure these settings.

Overview

The Google SSO integration allows users to log in to Baserow using their Google credentials.

To set this up, you must create a project in the Google Cloud Console, configure a “Client” application, and verify the authorized redirect URIs.

Prerequisites

• Baserow: You must be an Instance Admin on a self-hosted plan.
• Google: You must have a Google Cloud account with permission to create projects.

Phase 1: Create a Google Cloud project

1. Log in to the Google Cloud Console.
2. Click the project dropdown in the top header and select New Project.
3. Project Name: Enter Baserow SSO (or similar).
4. Organization: Select your organization if applicable.
5. Click Create.

Phase 2: Configure OAuth consent screen

Before you can create credentials, you must configure the consent screen that users will see when they log in.

1. In the left sidebar, navigate to APIs & Services -> OAuth consent screen.
2. App Information:
   • App name: Baserow
   • User support email: Select your email.
3. Audience:
   • Internal: Select this if you only want users within your Google Workspace organization to log in.
   • External: Select this if you want to allow personal Gmail accounts or users from other organizations.
4. Contact information: Enter your email for Google to notify you about any changes to your project.
5. Click Create.
6. Click Save and Continue through the “Scopes” and “Test Users” sections (defaults are usually sufficient for basic login).

Phase 3: Create OAuth credentials

After you configure the OAuth consent screen with information about your application, generate the keys Baserow needs to talk to Google.

1. In the sidebar, go to APIs & Services -> Credentials.
2. Click + Create Credentials and select OAuth client ID. A client ID is used to identify a single app to Google’s OAuth servers. If your app runs on multiple platforms, each will need its own client ID.
3. Application Type: Select Web application.
4. Name: Enter Baserow Web Client.
5. Authorized Redirect URIs:
   • You need the Callback URL from Baserow.
   • Open a new tab: Go to Baserow Admin tools -> Authentication -> + Add Provider -> Google.
   • Copy the Callback URL displayed in the modal (e.g., https://baserow.yourdomain.com/api/sso/oauth2/callback).
   • Return to Google: Paste this URL into the “Authorized redirect URIs” field.
6. Click Create.

Learn more: Get Callback URL from Baserow

Phase 4: Connect Google to Baserow

Google will now display your credentials.

1. Copy the Client ID.
2. Copy the Client Secret.
3. Return to Baserow:
   • In the Add Google Provider modal.
   • Name: Enter Google.
   • Client ID: Paste the Client ID.
   • Secret: Paste the Client Secret.
4. Click Save.

Troubleshooting & common issues

Error 400: redirect_uri_mismatch

This is the most common error. It means the URL in your browser address bar does not exactly match the URL you pasted into Google’s “Authorized redirect URIs” field.

• Check Protocol: Did you use http:// instead of https://?
• Check Port: If your Baserow runs on a port (e.g., :8000), it must be included in the URI.
• Check Trailing Slash: Ensure you copied the exact URL provided by the Baserow modal.

Frequently Asked Questions (FAQ)

Can I limit login to my specific company domain?

If you selected “Internal” user type in Configure OAuth consent screen, only users in your Workspace can log in. However, if you selected “External,” any Google user could potentially log in. To restrict this, we recommend disabling “Allow creating new accounts” in the Admin Settings so that only invited users can join.

Can I map Google Workspace Groups to Baserow Roles?

Not currently. Baserow supports Just-In-Time (JIT) provisioning, creating the user account immediately upon login. However, it does not sync Google Group memberships to assign Baserow roles (e.g., Admin vs. Editor). You must manually assign roles in Baserow after the user logs in.

Related content

• SSO Overview
• Enable SSO in the Admin Panel
• Configure Azure AD SSO

---

Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions; we’re ready to assist you.

• Ask the Baserow community

• Contact support for questions about Baserow or help with your account.