Skip to content

OAuth & Dex

The Google OAuth client used by Argo CD's Dex (and by Grafana's auth-proxy flow) is provisioned manually in the GCP Console. The credentials are stored in GCP Secret Manager and pulled into the argocd and monitoring namespaces by External Secrets Operator.

Why manual, not Terraform

The google_iap_brand and google_iap_client Terraform resources were deprecated by Google. The underlying IAP OAuth Admin APIs stop accepting new client creation on Jan 19, 2026 and are fully shut down on Mar 19, 2026. We removed oauth.tf in favor of console-driven OAuth client setup. The client + secret are still stored in GCP SM (tomoda-google-client-id, tomoda-google-client-secret) and synced to K8s via ESO; only the creation step is now manual.

Flow

flowchart LR
    Operator([Operator]) -->|1\. create in console| Client[OAuth Client<br/>web app]
    Client -->|2\. copy ID + secret| SM[(GCP Secret Manager<br/>tomoda-google-client-id<br/>tomoda-google-client-secret)]
    SM -->|3\. ESO sync| K8sArgocd[K8s secret<br/>google-oauth-credentials<br/>in argocd ns]
    SM -->|3\. ESO sync| K8sMon[K8s secret<br/>google-oauth-credentials<br/>in monitoring ns]
    K8sArgocd --> Dex[Argo CD Dex]
    K8sMon --> Grafana[Grafana auth-proxy]

Provisioning

For step-by-step instructions including consent screen setup, authorized redirect URIs, and the gcloud commands to store the values in Secret Manager, see Security → Secrets Management → Provisioning the Google OAuth client.

Short version:

  1. GCP Console → APIs & Services → OAuth consent screen → configure (Internal user type, tomoda.life Workspace).
  2. APIs & Services → Credentials → Create credentials → OAuth client ID (Web application).
  3. Add authorized redirect URIs: https://argo-app.tomoda.life/api/dex/callback and https://auth.tomoda.life/oauth2/callback.
  4. Copy the resulting client ID and client secret to GCP Secret Manager as tomoda-google-client-id and tomoda-google-client-secret.
  5. ESO projects them into both namespaces via the ExternalSecret resources in k8s/envs/dev/sys/manifests/external-secrets-config.yaml.

Domain restriction

Google's OAuth client itself accepts any Google account; the tomoda.life restriction is enforced by:

  1. Dex's hostedDomains: ["tomoda.life"] in the Argo CD Helm values (argocd.tf).
  2. oauth2-proxy's --email-domain=tomoda.life flag (k8s/envs/dev/sys/oauth2-proxy/values.yaml).

Both layers must hold. Don't rely on either one alone.

What about the other OAuth clients?

The three environment-specific Google OAuth clients used by the mobile and web frontends (web, iOS, Android) are separate — created manually in the same console flow and their IDs hard-coded into Cloud Build substitutions. See Cloud Build for how they're injected into the frontend bundle, and Secrets Management for the per-client GCP SM entries (tomoda-google-android-client-id, tomoda-google-ios-client-id).