Note: you must be an admin for the GSuite organization you are connecting to connect your GSuite account to Cloudflare.
1. Login to the Google Cloud console. Create a new project for your Cloudflare connection or choose an existing project, and click ‘Enable’ for the Admin SDK.
2. Then on the left hand side, click on Credentials.
3. Click Create Credentials, and from the list select OAuth Client ID.
4. Click on the button that says ‘Configure Consent Screen’
5. Fill out the Product Name field and click Save. (This will display to users during the sign in flow).
7. Copy your client ID and secret and paste them in the Cloudflare dashboard. You will need the client ID again in a minute.
8. The next step is to connect your GSuite account and provision Cloudflare read-only access. Login to your GSuite admin account https://admin.google.com/ and go to Security > Advanced settings > Authentication > Manage API client access.
9. In the Client Name field, paste the Client ID you copied from the Google Cloud console. In the field called ‘One or More API Scopes’, paste: https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly and click Authorize.
10. You are done - you have created a key for Cloudflare to use to authenticate your GSuite users, have given that key read only access to your GSuite organization, and have given Cloudflare the key.
If you login to Cloudflare Access and see:
This is so easy to fix. Have no fears. It takes just a minute. Ready?
Go back to the Google Cloud Console: https://console.cloud.google.com/apis/credentials and click on the pencil next to the Cloudflare Access credentials.
Then in the field for Authorized redirect URIs add the domain Google complains about in the 400 error. It will look something like https://dani.cloudflareauth.com/cdn-cgi/auth/callback.