<% creds = Wabosign.google_sso_credentials %>
<% value = @encrypted_config.value || {} %>
<% callback_uri =
begin
"#{root_url}auth/google_oauth2/callback"
rescue StandardError
'/auth/google_oauth2/callback'
end %>
<% if creds[:source] == :env %>
<%= svg_icon('info_circle', class: 'w-6 h-6') %>
Google SSO is configured via environment variables
GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set on the running process, so ENV-driven configuration is in effect. ENV always takes precedence over anything saved on this page. Unset the env vars (and restart) to switch to the values configured here.
<% if creds[:allowed_domains].any? %>
Allowed Workspace domain<%= 's' if creds[:allowed_domains].size > 1 %>: <%= creds[:allowed_domains].join(', ') %>.
<% else %>
Warning: no domain allowlist is set. Any Google account can sign in.
<% end %>
<% else %>
<%= svg_icon('info_circle', class: 'w-6 h-6') %>
Google SSO is not configured
Fill in your Google Cloud OAuth client details below. The OAuth redirect URI to register in Google Cloud Console is
<%= callback_uri %>.
<% end %>
<%= form_for @encrypted_config, url: settings_sso_index_path, method: :post, html: { autocomplete: 'off', class: 'space-y-4' } do |f| %>
<%= f.fields_for :value do |ff| %>
<%= ff.label :client_secret, 'Client Secret', class: 'label' %>
<%= ff.password_field :client_secret, class: 'base-input', placeholder: value['client_secret'].present? ? '*************' : 'GOCSPX-…' %>
<% if value['client_secret'].present? %>
Leave blank to keep the saved secret.
<% end %>
<%= ff.label :allowed_domains_csv, 'Allowed Workspace Domains', class: 'label' %>
<%= ff.text_field :allowed_domains_csv, value: Array(value['allowed_domains']).join(', '), class: 'base-input', placeholder: 'wabo.cc, partner.example' %>
Comma-separated. Only Google accounts whose Workspace hd claim matches one of these domains can sign in. Leave blank to allow any Google account (not recommended).