Skip to main content

Log in with ZITADEL on Google Cloud with Workforce Identity Federation (OIDC)

This guide shows how to login users and assign roles with Workforce Identity Federation to Google Cloud.

It covers how to:

  • create and configure your application in ZITADEL
  • configure an Action to transform claims
  • create and configure the connection to Google Cloud with Workforce Identity Federation using OpenID Connect (OIDC)


  • existing ZITADEL Instance, if not present follow this guide
  • existing ZITADEL Organization, if not present follow this guide
  • existing ZITADEL project, if not present follow the first 3 steps here
  • prerequisites on Google Cloud side in the configuration guide.

We have to switch between ZITADEL and a Google Cloud. If the headings begin with "ZITADEL" switch to the ZITADEL Console and if the headings start with "Google Cloud" please refer to the configuration guide on Google Cloud.

Google Cloud: Configure

Follow the steps Before you begin, Required roles, and create a workforce identity pool (OIDC) in the in the configuration guide.

Before you create the workforce identity pool provider you should create your application in ZITADEL.

ZITADEL: Create the application

In your existing project:

First of all we create the application in your project.


Google Cloud requires just an ID Token as JWT including the described required and optional scopes.

Create a new application and click on "I'm a pro. Skip this wizard."

  • Application Type: Web
  • Grant Types: Implicit
  • Response Type: ID Token
  • Authentication Method: None

You need to add the redirect URL and configure token settings after creating the application.

Create application screen

ZITADEL: Redirect url

Redirect URL

After creating, go to the application settings "Redirect settings" and add the redirect url from Googles configuration guide. It looks something like

Save the settings.


Make sure to replace the WORKFORCE_POOL_ID and WORKFORCE_PROVIDER_ID with your values in the redirect url

ZITADEL: Token settings

Token settings

After creating, go to the application settings "Token settings" and configure as follows:

  • Auth Token Type: JWT
  • Add user roles to the access token: disabled (optional)
  • User roles inside ID Token: enabled
  • User Info inside ID Token: enabled

Save the settings.

ZITADEL: Custom claims

Go to your project and create roles according to the Groups in Google Cloud. Authorize a test user by assigning roles in ZITADEL.

Google Cloud expects some claims, including groups, in a specific format as described here. Claims can be transformed in ZITADEL with Actions.

Create an Action with the following code to flatten the roles and include the claim for the users' display name.


If you want to configure a special attribute mapping in the workforce identity pool provider, then adjust the claims accordingly.

function googleGroups(ctx, api) {
if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {

let grants = [];
ctx.v1.user.grants.grants.forEach(claim => {
claim.roles.forEach(role => {
})'google.groups', grants)'google.display_name', ctx.v1.getUser().human.displayName)

Action Code


Make sure that the name of the action matches the name of the function.

And add the the Action Script to the following Flow and Trigger:

  • Flow Type: Complement Token
  • Trigger Type: Pre access token creation
  • Actions: googleGroups

Action Flow

Google Cloud: Create a WIP provider

Complete the steps in the in the configuration guide with the ISSUER_URI and CLIENT_ID from ZITADEL.