@workos/mcp-docs-server 0.1.0 → 0.2.0

package/.docs/organized/docs/integrations/google-oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: Google OAuth
-description: "Learn how to set up OAuth with Google\_Workspace."
+description: Learn how to set up OAuth with Google Workspace
 icon: google
 breadcrumb:
   title: Integrations
@@ -10,155 +10,172 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/google-oauth.
 
 ## Introduction
 
-To configure your global Google OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a Google Client ID, and a Google Client Secret.
+The Google OAuth integration allows your users to authenticate using their Google Workspace credentials.
+
+The configuration process involves obtaining client credentials from your Google Cloud Platform Console and configuring them in the WorkOS Dashboard.
 
 ---
 
-## What WorkOS provides
+## Testing with default credentials in the staging environment
 
-WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+WorkOS provides a default Google Client ID and Client Secret combination, which allows you to quickly enable and test Google OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `GoogleOAuth`, and WorkOS will automatically use the default credentials until you add your own Google Client ID and Client Secret to the configuration in the WorkOS Dashboard.
 
-Open your [WorkOS Dashboard](https://dashboard.workos.com) and browse to the “Configuration” tab on the left hand nav bar. Scroll down to the “Google OAuth” section and you’ll see the Redirect URI as well as the fields you’ll populate later with information from Google.
+> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own Google Client ID and Client Secret.
 
-![A screenshot showing the Google OAuth Redirect URI in the WorkOS Dashboard.](https://images.workoscdn.com/images/9fe79e6c-90eb-4db1-890c-bf563d7d55c2.png?auto=format&fit=clip&q=50)
+Please note that when you are using WorkOS default credentials, Google's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its Google Client ID and Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
 
 ---
 
-## Testing with default credentials in the Staging environment
+## What WorkOS provides
 
-WorkOS provides a default Google Client ID/Google Client Secret combination, which allows you to quickly enable and test Google OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `GoogleOAuth`, and WorkOS will automatically use the default credentials, until you add your own Google Client ID and Google Client Secret to the Configuration in the WorkOS Dashboard.
+When setting up Google OAuth, WorkOS provides one key piece of information that needs to be configured in your Google Cloud Platform project:
 
-> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own Google Client ID and Google Client Secret.
+- [Redirect URI](/glossary/redirect-uri): The endpoint where Google will send authentication responses after successful login
 
-Please note that when you are using WorkOS default credentials, Google's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its Google Client ID and Google Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **OAuth providers** sub-tab. Locate the **Google** section.
 
----
+![Open the Google configuration dialog](https://images.workoscdn.com/images/1e400f3e-1885-481f-8840-4a3a9f8c7f97.png?auto=format&fit=clip&q=50)
 
-## What you’ll need
+Click **Manage**. The **Google OAuth** configuration dialog will open. Locate the **Redirect URI**.
 
-In order to integrate you’ll need the Google Client ID and the Google Client Secret.
+![Google OAuth Redirect URI in the WorkOS Dashboard.](https://images.workoscdn.com/images/020273f1-d216-4aca-8ddd-8963accd7517.png?auto=format&fit=clip&q=50)
 
-These are a pair of credentials provided by Google that you’ll use to authenticate your application via Google’s OAuth protocol. To obtain them:
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your Google Cloud Platform project as an authorized redirect URI.
 
 ---
 
-### (1) Log in
+## What you'll need
 
-Log in to the [Google Cloud Platform Console Dashboard](https://console.cloud.google.com/). Select your application’s project from the project selection dropdown menu in the navigation bar.
+You will need to obtain two pieces of information from a Google Cloud Platform project:
 
-![A screenshot showing how to select your application in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/437771ef-5993-4d40-b9e5-1b083564a09f.png?auto=format&fit=clip&q=50)
+- **Google Client ID**: Application identifier from Google Cloud Platform
+- **Google Client Secret**: Authentication secret for the application
 
----
+The following sections will guide you through generating these credentials in your Google Cloud Platform Console.
 
-### (2) Select your application
+---
 
-Select “APIs & Services”, then “OAuth Consent Screen” in the left-hand navigation menu.
+## (1) Access Google Cloud Platform Console
 
-![A screenshot showing where to find the "OAuth Consent Screen" option in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/73f1dda5-aab0-45f0-b466-0659929e50e1.png?auto=format&fit=clip&q=50)
+Sign in to the [Google Cloud Platform Console Dashboard](https://console.cloud.google.com/) and select your application's project from the project selection dropdown menu in the navigation bar.
 
-Select “Edit App”.
+![How to select your application in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/45adf7cf-78e0-4c5a-a6c1-7b3eee62c723.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing where "Edit App" is located in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/4c3ab3ab-06dd-42c6-9f57-ab7ca2de5ae6.png?auto=format&fit=clip&q=50)
+---
 
-Add `workos.com` to your list of “Authorized domains”, and select “Save”.
+## (2) Configure OAuth consent screen
 
-![A screenshot showing where to enter workos.com as an "Authorized domain" in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/a07ffb8b-66fb-42e5-bd35-3587e07f6f04.png?auto=format&fit=clip&q=50)
+In the left navigation menu, select **APIs & Services** and then **OAuth Consent Screen**.
 
----
+![Where to find the OAuth Consent Screen option in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/c37375e2-6ef2-41ba-9b65-a125501bfd5a.png?auto=format&fit=clip&q=50)
 
-### (3) Enter Setup Instructions
+Now within the **Google Auth Platform**, in the left navigation menu, select **Clients**. Click **Create client**.
 
-Select “Credentials” in the left-hand menu. Then select “OAuth client ID” from the “Create Credentials” dropdown menu.
+![How to create a new client in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/c5ffe36c-e471-4b27-a6b9-936d26837e93.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing where to find the "OAuth client ID" option in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/162e9d0f-c681-43b0-89ad-a9f8a8590119.png?auto=format&fit=clip&q=50)
+In the **Application type** dropdown, select **Web application**. Provide an appropriate name for your OAuth client ID.
 
-Then, give your OAuth client ID a name, and add the Redirect URI provided by WorkOS to the list of “Authorized redirect URIs”.
+> As a best practice, your OAuth client ID's name should be different from your application's name. It will not be shown to end users.
 
-> As a best practice, your OAuth client ID’s name should be different from your application’s name. It will not be shown to end users.
+Under the **Authorized redirect URIs** section, click **Add URI**. Add the **Redirect URI** from the WorkOS Dashboard.
 
-![A screenshot showing where to enter your WorkOS Redirect URI in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/2c5d171b-affe-419a-9bb1-0ca30bb36df0.png?auto=format&fit=clip&q=50)
+![Where to enter your WorkOS Redirect URI in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/e18673f7-e490-46a7-ad0c-f71d5ddcb08a.png?auto=format&fit=clip&q=50)
 
-Click “Create” and you’ll be presented with your application’s Client ID and Client Secret.
+Scroll down and click **Create**. It may take up to 5 minutes, but once your OAuth client is created, you'll be presented with your application's client ID and client secret. Be sure to copy these values as they may not be available after closing the dialog.
 
-![A screenshot showing the Client ID and Client Secret in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/5e2962f0-f73a-4319-8bfd-e7685bcff67e.png?auto=format&fit=clip&q=50)
+![The client ID and client secret in the Google Cloud Platform Console Dashboard.](https://images.workoscdn.com/images/13a05048-c45c-43c5-9d56-39faf53ab479.png?auto=format&fit=clip&q=50)
 
 ---
 
-### (4) Obtain Identity Provider Details
+## (3) Configure Google credentials in WorkOS
 
-Add your Google Client ID and Google Client Secret to their respective fields in your Google Settings in the Configuration section of the WorkOS Dashboard.
+Now that you have the **Google Client ID** and **Google Client Secret** from the previous step return to the [WorkOS Dashboard](https://dashboard.workos.com).
 
-![A screenshot showing where to enter the Google Client ID and Google Client Secret in the WorkOS Dashboard.](https://images.workoscdn.com/images/d394c1b7-5ead-49bc-977f-5459b73c613a.png?auto=format&fit=clip&q=50)
+In the **Google OAuth** configuration dialog, select **Your app's credentials**. Paste the credentials from Google into their respective fields in the WorkOS Dashboard.
 
-Select “Save Google OAuth” and you’ll almost be ready to go.
+![Where to enter the Google Client ID and Google Client Secret in the WorkOS Dashboard.](https://images.workoscdn.com/images/6c209570-926d-49bf-9189-0e2f705e70ee.png?auto=format&fit=clip&q=50)
+
+Click **Save** to complete the configuration.
 
 ---
 
-### (5) Publish your Google OAuth application
+## (4) Publish the Google OAuth application
 
-Back in the “OAuth consent screen”, be sure that your app is “In production”. If it is still in testing mode you’ll likely get an “Access Blocked” error when attempting to log into your app.
+In the left navigation menu of the Google Cloud Platform Console, select the **Audience** tab. If your application is not **In production**, click **Publish app**. In the **Push to Production?** dialog that opens, click **Confirm**. If your application is still in testing mode, users will likely get an "Access Blocked" error when attempting to log into your app.
 
-![A screenshot showing the publishing status of your Google OAuth application](https://images.workoscdn.com/images/6eecff2b-92a0-42f1-bf54-4d8ce8ae6f3a.png?auto=format&fit=clip&q=50)
+![The publishing status of your Google OAuth application](https://images.workoscdn.com/images/564bc12f-0abb-4866-8a48-eb9451b851fb.png?auto=format&fit=clip&q=50)
 
-After that, you’re now able to authenticate users with Google OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global Google OAuth for any domain. The `provider` query parameter should be set to `GoogleOAuth`.
+After that, you're now able to authenticate users with Google OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global Google OAuth for any domain. The `provider` query parameter should be set to `GoogleOAuth`.
 
 ---
 
-## Customize Google OAuth Domain
+## Customize Google OAuth Domain (Optional)
 
-Optional process that requires access to your Google Cloud Console and your domain’s DNS settings.
+This optional process requires access to your Google Cloud Console and your domain's DNS settings.
 
-After implementing the steps above, you’ll notice that the Google OAuth sign in form displays “Choose an account to continue to workos.com”. This is based on the Authorized Redirect URI in Google. To set this to a domain other than workos.com, Google will ask for proof of ownership of your domain. To help guide you through this process we have a self-service flow.
+After implementing the steps above, you'll notice that the Google OAuth sign in form displays "Choose an account to continue to workos.com". This is based on the Authorized Redirect URI in Google. To set this to a domain other than workos.com, Google will ask for proof of ownership of your domain. To help guide you through this process we have a self-service flow.
 
----
+### (1) Add your custom Google OAuth domain
 
-### (1) Add Your Custom Google OAuth Domain
+In the **Authentication** tab of the WorkOS Dashboard, find the **Google OAuth** section. Depending on which WorkOS products have been enabled, the **Google OAuth** section may be under the **Methods** or **OAuth providers** sub-tabs in the left navigation menu.
 
-In the Configuration tab of the WorkOS Dashboard, find the Google OAuth section and click on “Setup Custom Domain”.
+Click **Setup Custom Domain**.
 
-> Note: This button will only appear if your environment has a valid Google OAuth configuration and has not already setup a custom domain.
+> Note: This button will only appear if your environment has a valid Google OAuth configuration and a custom domain has not already been configured.
 
-![A screenshot showing where to find the "Set Up Custom Domain" button in the WorkOS Dashboard. ](https://images.workoscdn.com/images/589f78f2-96d8-4330-b3a1-42796d7b4441.png?auto=format&fit=clip&q=50)
+![Where to find the Set Up Custom Domain button in the WorkOS Dashboard.](https://images.workoscdn.com/images/9ba10d03-c0af-41e6-b090-884ba1cddca4.png?auto=format&fit=clip&q=50)
 
-Under “Add Custom Domain”, input the domain that you wish to use in place of `auth.workos.com`. This is often a subdomain such as `auth.example.com`. Click on “Set Domain”.
+Under **Add Custom Domain**, input the domain that you wish to use in place of `auth.workos.com`. This is often a subdomain such as `auth.example.com`. Click on **Set Domain**.
 
-![A screenshot showing where to add a custom domain in the WorkOS Dashboard.](https://images.workoscdn.com/images/0d4419da-778f-4f26-8c01-f66ce9c9cd33.png?auto=format&fit=clip&q=50)
+![Where to add a custom domain in the WorkOS Dashboard.](https://images.workoscdn.com/images/d233701c-74c5-4a42-a063-9eaa680dc7c9.png?auto=format&fit=clip&q=50)
 
----
+### (2) Add CNAME target
 
-### (2) Add CNAME Target
+Add a new CNAME target inside your domain's DNS settings. Set the host to match the domain you set in the previous step and set the value to `cname.workosdns.com`.
 
-Add a new CNAME target inside your domain’s DNS settings. Set the host to match the domain you set in the previous step and set the value to `cname.workosdns.com`.
+Once the above is complete, click **Verify DNS**. This verification often takes less than a minute, but is dependent on how long your DNS record takes to propagate. The page will continue polling to check the status of your verification until it is successful.
 
-Once the above is complete, click on “Verify DNS”. This verification often takes less than a minute, but is dependent on how long your DNS record takes to propagate. The page will continue polling to check the status of your verification until it is successful.
+![The CNAME target of cname.workosdns.com in the WorkOS Dashboard.](https://images.workoscdn.com/images/feebf1a1-1f42-4c0b-b1fc-67d37745b948.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing the CNAME target of cname.workosdns.com in the WorkOS Dashboard.](https://images.workoscdn.com/images/92bb6e81-aaa2-46e2-9a11-73291d7e5e4f.png?auto=format&fit=clip&q=50)
+### (3) Add new redirect URI to Google
 
----
+Once the DNS has been successfully verified, WorkOS will provide a URI starting with your subdomain in the **Add redirect URI to Google** section. Click on the clipboard icon to copy the URL.
+
+![The clipboard icon in the WorkOS Dashboard.](https://images.workoscdn.com/images/95060659-da91-40d8-849b-9718ef7b00fc.png?auto=format&fit=clip&q=50)
+
+In the Google Cloud Platform Console, under your project's **APIs & Services** → **Clients** section, add the URL copied above in the **Authorized redirect URIs** section. To ensure your Google OAuth integration continues to work without any gaps in service, leave your existing redirect URI in place for now.
+
+![Where to enter the redirect URI in the Google Cloud Platform Console.](https://images.workoscdn.com/images/548b4e3e-164e-4358-ab1d-58c5d3071731.png?auto=format&fit=clip&q=50)
 
-### (3) Add New Redirect URI to Google
+### (4) Test Google redirect URI
 
-Once the DNS has been successfully verified, we will provide a URI starting with your subdomain in the “Add redirect URI to Google” section. Click on the clipboard icon to copy the URL.
+Once the URL has been added and saved on the Google side, navigate back to the WorkOS Dashboard and click on **Test Google Redirect URI**.
 
-![A screenshot showing the clipboard icon in the WorkOS Dashboard.](https://images.workoscdn.com/images/0f9d922e-6b29-4f9f-b30a-ebceafcc785b.png?auto=format&fit=clip&q=50)
+![The Test Google Redirect URI button in the WorkOS Dashboard.](https://images.workoscdn.com/images/1e191eb9-a316-407e-ae63-69be88ac3665.png?auto=format&fit=clip&q=50)
 
-In your Google Cloud Platform dashboard under your project’s “APIs & Services” → “Credentials” section, add the URL copied above under “Authorized redirect URIs”. To ensure your Google OAuth integration continues to work without any gaps in service, leave your existing Redirect URI in place for now.
+If the test is successful, you will see a **Successfully tested** message displayed. Click **Save custom Google OAuth settings**.
 
-![A screenshot showing where to enter the redirect URI in the Google Cloud Platform Console.](https://images.workoscdn.com/images/119c14f3-0ad7-4137-af15-d33dbb891bcb.png?auto=format&fit=clip&q=50)
+Once these updates have been saved, test out your Google OAuth sign in flow to ensure everything is working properly and your domain is displayed on the form. If everything is looking good, it is safe to remove the old `auth.workos.com` URL from your Google Authorized redirect URIs, and `workos.com` from your Google Authorized domains.
 
 ---
 
-### (4) Test Google Redirect URI
+## Configure Additional OAuth Scopes (Optional)
 
-Once the URL has been added and saved on the Google side, navigate back to the WorkOS Dashboard and click on “Test Google Redirect URI”.
+WorkOS will request the OAuth scopes that are required for authentication by default. You can optionally configure your integration to request additional OAuth scopes as needed.
 
-![A screenshot showing the "Test Google Redirect URI" button in the WorkOS Dashboard.](https://images.workoscdn.com/images/55e89618-c999-4d12-877b-aba1d150d865.png?auto=format&fit=clip&q=50)
+When the **Return Google OAuth tokens** option is selected, the access token and refresh token from Google will be included in the response from the [Authenticate with code API](/reference/authkit/authentication/code).
 
-If the test is successful, you will see a “Successfully tested” message displayed. You will also now be able to click “Save custom Google OAuth settings” to save your new Google OAuth configuration.
+![A screenshot showing Google OAuth scopes configuration in the WorkOS Dashboard](https://images.workoscdn.com/images/53f64aa3-fbd1-4371-9fba-2e2ff9eb0823.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing the "Save custom Google OAuth settings" button in the WorkOS Dashboard.](https://images.workoscdn.com/images/0bffba7d-efc9-41ee-abba-a405cb71f548.png?auto=format&fit=clip&q=50)
+Any scopes configured here will be included on every Google OAuth request. To specify additional scopes dynamically, use the `provider_scopes` query parameter on the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url).
 
-Once these updates have been saved, test out your Google OAuth sign in flow to ensure everything is working properly and your domain is displayed on the form. If everything is looking good, it is safe to remove the old `auth.workos.com` URL from your Google Authorized redirect URIs, and `workos.com` from your Google Authorized domains.
+Any additional scopes that you plan to request must also be configured on your OAuth consent screen in the Google Cloud Platform Console.
+
+Google considers some scopes to be sensitive or restricted. If requesting any of these sensitive or restricted scopes, your application will need to be verified by Google. For more information, see Google's OAuth scopes [documentation](https://developers.google.com/identity/protocols/oauth2/scopes).
+
+![A screenshot showing Google OAuth scopes configuration in the Google Cloud Console](https://images.workoscdn.com/images/c9f2cc5d-ca3c-466f-9db8-9138ad60cc43.png?auto=format&fit=clip&q=50)
+
+> IMPORTANT: Your users will see an "unverified app" screen from Google and may see errors during sign-in if the scopes included on an authorization request differ from the scopes configured on your OAuth consent screen, or if you request sensitive or restricted scopes without going through Google's app verification process. Changes to scopes should be tested in a staging environment before applying them to production.
 
 ---
 
@@ -166,7 +183,7 @@ Once these updates have been saved, test out your Google OAuth sign in flow to e
 
 ### How is the WorkOS Google OAuth integration different from implementing regular Google OAuth flow?
 
-It’s the same Google OAuth flow as you could build yourself, but it’s encapsulated within WorkOS SSO. This means you don’t need to build it yourself. In addition to Google OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
+It's the same Google OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to Google OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
 ### What is the provider query parameter and how is it used in the Google OAuth integration?
 

package/.docs/organized/docs/integrations/google-oidc.mdx

@@ -0,0 +1,142 @@
+---
+title: Google OIDC
+description: Learn how to configure a connection to Google via OIDC.
+icon: google
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/google-oidc.mdx
+---
+
+## Introduction
+
+Each SSO identity provider requires specific information to create and configure a new [SSO connection](/glossary/connection). Often, the information required to create an SSO connection will differ by identity provider.
+
+To create a Google OIDC SSO connection, you'll need three pieces of information: a [redirect URI](/glossary/redirect-uri), [client ID](/glossary/client-id), and [client secret](/glossary/client-secret).
+
+Start by logging in to your WorkOS dashboard and navigate to the **Organizations** page from the left-hand navigation bar.
+
+Select the organization you'd like to configure a Google OIDC SSO connection for, and select **Configure manually** under **Single Sign-On**.
+
+![WorkOS Dashboard Organizations tab with "Configure manually" button highlighted](https://images.workoscdn.com/images/d577cfbe-028b-48cf-8cc0-4cd5d3adf853.png?auto=format&fit=clip&q=50)
+
+Select **Google OIDC** from the identity provider dropdown, click **Create Connection**.
+
+![Create Connection form with Google OIDC selected as Identity Provider](https://images.workoscdn.com/images/35cfe8ab-1825-4f0d-ab93-7c0eb6e0d742.png?auto=format&fit=clip&q=50)
+
+> Google OIDC is not available when [SSO group role assignment](/sso/identity-provider-role-assignment) is enabled due to [a limitation](https://issuetracker.google.com/issues/133774835?pli=1) with the groups claim.
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the Redirect URI, which can be found in the **Service Provider Details** section on the SSO connection page in the [WorkOS Dashboard](https://dashboard.workos.com/).
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where identity providers send authentication responses after successful login
+
+![The Redirect URI of a OIDC connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/99a7c7d5-50a9-4bff-a3f3-22dc1cfeca58.png?auto=format&fit=clip&q=50)
+
+The Redirect URI is the location an identity provider redirects its authentication response to. In Google's case, it needs to be set as an **Authorized redirect URI** when configuring your OAuth client in the Google Cloud Console.
+
+Specifically, the Redirect URI will need to be added to the **Authorized redirect URIs** section when creating your OAuth client, which is outlined in [step 3](/integrations/google-oidc/3-create-oauth-client) below.
+
+---
+
+## What you'll need
+
+You will need to obtain two pieces of information from the organization:
+
+- [Client ID](/glossary/client-id): Application identifier from the OIDC provider
+- [Client secret](/glossary/client-secret): Authentication secret for the application
+
+Normally, this information will come from the organization's IT management team when they set up your application's OAuth configuration in their Google Cloud Console. But, should that not be the case during your setup, the next steps will show you how to obtain it.
+
+---
+
+## (1) Create a Google Cloud project (optional)
+
+> If you already have a Google Cloud project, skip this step.
+
+Sign in to the [Google Cloud Console](https://console.cloud.google.com).
+
+From the top left navigation, click **Select a project**. Select an organization and then click **Create project**.
+
+![Google Cloud Console project selector with "Create project" option](https://images.workoscdn.com/images/941eaf2f-b6a3-4c86-83aa-4cb005dbc1e4.png?auto=format&fit=clip&q=50)
+
+Enter a project name. Update the project organization and location if needed. Click **Create**.
+
+![Google Cloud project creation form with project name, organization, and location fields](https://images.workoscdn.com/images/b7cd689d-0e89-4eee-8f32-f6b93522fed1.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Configure OAuth app
+
+From the top left navigation, click **Select a project**. Select the project you created in the previous step or one that is already set up.
+
+![Google Cloud Console project selector dropdown with available projects](https://images.workoscdn.com/images/675794e5-9a6d-42cc-8d68-46e58a29caab.png?auto=format&fit=clip&q=50)
+
+Search for **Google Auth Platform** and select it from the results list.
+
+![Google Cloud Console search results showing Google Auth Platform service](https://images.workoscdn.com/images/ef574ce6-3402-4dbe-9e3e-4d3d00d82212.png?auto=format&fit=clip&q=50)
+
+Click **Get started**.
+
+![Google Cloud OAuth App dashboard with highlighted get started button](https://images.workoscdn.com/images/2e35fd83-74db-45b4-ad13-510fb52b57b0.png?auto=format&fit=clip&q=50)
+
+On the **App Information** step, enter an app name, such as your organization name. Select a user support email from the dropdown. Click **Next**.
+
+![OAuth consent screen App Information step with app name and user support email fields](https://images.workoscdn.com/images/2365ee0a-497b-4235-9d08-e9e740a140f0.png?auto=format&fit=clip&q=50)
+
+On the **Audience** step, select **Internal** and click **Next**.
+
+![OAuth consent screen Audience step with Internal option selected](https://images.workoscdn.com/images/e3689b48-4ada-43a6-818f-244cfebf0393.png?auto=format&fit=clip&q=50)
+
+On the **Contact Information** step, enter a contact email and click **Next**.
+
+![OAuth app information screen with contact information field highlighted and demo@foo-corp.com email filled in, next button is highlighted](https://images.workoscdn.com/images/7ef6519e-dc76-473b-901f-388e69762433.png?auto=format&fit=clip&q=50)
+
+Agree to the terms of service, click **Continue** and then **Create**.
+
+![OAuth consent screen terms of service acceptance and Create button](https://images.workoscdn.com/images/e211e959-1325-4dfc-8a8c-96d4ee0030cf.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Create OAuth client
+
+From the left-hand sidebar navigation, click **Clients** and then click **Create client**.
+
+![Google Auth Platform Clients page with "Create client" button](https://images.workoscdn.com/images/24e008c1-4a8e-4bfe-8603-1074453a815b.png?auto=format&fit=clip&q=50)
+
+From the **Application type** dropdown, select **Web application**.
+
+![OAuth client creation form with Web application selected as application type](https://images.workoscdn.com/images/17bc8607-23be-457f-9cf1-995730748d55.png?auto=format&fit=clip&q=50)
+
+Under the **Authorized redirect URIs** section, click **Add URI**. Copy the Redirect URI from your WorkOS Dashboard and paste it into the new redirect URI field.
+
+![Authorized redirect URIs section with Add URI button and WorkOS redirect URI field](https://images.workoscdn.com/images/b98e091f-9005-4a1f-bfb9-56eb26a88844.png?auto=format&fit=clip&q=50)
+
+Click **Create**.
+
+---
+
+## (4) Add organization settings
+
+From the **OAuth client created** modal, copy the **Client ID** and **Client Secret** values.
+
+![OAuth client created modal displaying Client ID and client secret](https://images.workoscdn.com/images/51a44c08-a559-456b-926f-33334d7cb755.png?auto=format&fit=clip&q=50)
+
+Back in the WorkOS Dashboard, enter the client ID, and client secret you obtained from Google into the respective fields in the **Identity Provider Configuration** section of the SSO connection.
+
+Enter `https://accounts.google.com/.well-known/openid-configuration` in the **Discovery Endpoint** field, this is the same value for all Google Cloud Console projects.
+
+![WorkOS Dashboard Identity Provider Configuration with Client ID, Client Secret, and Discovery Endpoint fields](https://images.workoscdn.com/images/d3305808-a772-4f2a-a7e1-c862b9274975.png?auto=format&fit=clip&q=50)
+
+Click **Save Configuration**.
+
+---
+
+## Next steps
+
+Your Google OIDC connection is now configured and ready to use. Users within your organization will be able to authenticate through WorkOS using their Google credentials.
+
+To start using this connection in your application, refer to the [SSO guide](/sso) for implementation details.

package/.docs/organized/docs/integrations/google-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: Google SAML
-description: "Learn how to configure a connection to\_Google Workspace via SAML."
+description: Learn how to configure a connection to Google Workspace via SAML.
 icon: google
 breadcrumb:
   title: Integrations
@@ -20,7 +20,7 @@ Click on the organization you’d like to configure a Google SAML connection for
 
 ![A screenshot showing where to find “Manually Configure Connection” for an Organization in the WorkOS Dashboard.](https://images.workoscdn.com/images/26e7f2ca-7d61-4f02-9a67-f3bfbc254ba3.png?auto=format&fit=clip&q=50)
 
-Select “Google SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+Select “Google Workspace SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
 
 ![A screenshot showing how to create a connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/7f2f8f2b-22d1-443c-a692-5eb7fa506042.png?auto=format&fit=clip&q=50)
 
@@ -96,7 +96,7 @@ Scroll down to the "Group membership" section. Add any groups you'd like to send
 
 ![A screenshot showing how to add a group attribute in the Google dashboard.](https://images.workoscdn.com/images/b7a6e5f7-aaf1-4756-9fc9-04f70f1c8a67.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ---
 

package/.docs/organized/docs/integrations/hibob.mdx

@@ -1,6 +1,6 @@
 ---
 title: HiBob
-description: "Learn about syncing your user list with\_HiBob."
+description: Learn about syncing your user list with HiBob.
 icon: hibob
 breadcrumb:
   title: Integrations
@@ -12,7 +12,7 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/hibob.mdx
 
 This guide outlines how to synchronize your application’s HiBob directories.
 
-To synchronize an organization’s users and groups provisioned for your application, you’ll need the enterprise IT Admin to provide you:
+To synchronize an organization’s users and groups provisioned for your application, you’ll need the enterprise IT admin to provide you:
 
 - A HiBob Service User ID.
 - The HiBob Service User’s Token.
@@ -39,7 +39,7 @@ Then click “Create Directory”.
 
 ![A screenshot highlighting the "Create Directory" modal for creating a HiBob directory in the WorkOS Dashboard.](https://images.workoscdn.com/images/0b8c4bdb-e745-4285-a208-3463631766c0.png?auto=format&fit=clip&q=50)
 
-WorkOS will create a Directory Sync Connection where you will input a “Service User ID” and an “API Token”. The next step will walk you through how an organization IT Admin can generate and gather these details.
+WorkOS will create a Directory Sync Connection where you will input a “Service User ID” and an “API Token”. The next step will walk you through how an organization IT admin can generate and gather these details.
 
 ![A screenshot highlighting the "Update Directory" button in a HiBob directory in the WorkOS Dashboard.](https://images.workoscdn.com/images/f47caea6-5218-4957-b8a1-3c3512ec52f0.png?auto=format&fit=clip&q=50)
 
@@ -65,7 +65,20 @@ HiBob will then present you with an ID and a Token, which will be populated into
 
 ![A screenshot highlighting the "ID" and "Token" fields for a Service User in the HiBob dashboard.](https://images.workoscdn.com/images/81d6408a-0f04-4486-8864-cf9c08928d86.png?auto=format&fit=clip&q=50&w=2048)
 
-The enterprise IT admin should make sure that the Service User has permissions to “View selected employees lifecycle sections”.
+> **Important:** Service users have no permissions by default. The enterprise IT admin must create a permission group and assign specific permissions to the service user.
+
+To set up permissions for the service user:
+
+1. In HiBob, create a permission group for the service user (see [HiBob's guide on creating permission groups](https://apidocs.hibob.com/docs/api-service-users#step-2-creating-a-permission-group))
+2. Under the **People's data** tab in the permission group, enable the following permissions:
+   - **View all employees' Root sections** (required for basic employee data: id, email, first name, last name)
+   - **View all employees' Work sections** (required for title, department, site, start date, manager information)
+   - **View all employees' About sections** (standard employee information)
+   - **View all employees' Employment sections** (employment details)
+3. Under **Access Rights**, set the permission group to **"Everyone"** to sync all active employees. To include inactive employees, use "Select by condition" and remove the "Lifecycle status equals Employed" filter
+4. Assign the service user to this permission group
+
+For more details on setting permissions, see [HiBob's permission documentation](https://apidocs.hibob.com/docs/api-service-users#step-3-set-permissions).
 
 ---