Authenticate Matomo Users with Google OAuth

Matomo is a free and open-source alternative to Google Analytics. I have an instance of Matomo setup for some internal sites and some public sites.

Lately I've been obsessed with setting up Single-Sign-On (SSO) wherever I can. There is an official implementation that is developed by Matomo itself, however this comes at the cost of an annual subscription fee. Since I'm not making an extra profit with Matomo, I don't want to spend hundreds of Canadian Rupees just to use SSO. Fortunately, I can utilize Google's OpenID Connect service with my Google Workspace account and a third-party plugin (dominik-th/matomo-plugin-LoginOIDC: external authentication services for matomo (github.com)).

The Login OIDC plugin is available from the Matomo Plugin Marketplace. The only issue I faced during install was related the character set of the table created by the plugin. This can be solved by creating the table manually with the utf8mb4 charset before activating the plugin.

CREATE TABLE matomo_loginoidc_provider
	(
    	user VARCHAR( 100 ) NOT NULL,
        provider_user VARCHAR( 255 ) NOT NULL,
        provider VARCHAR( 255 ) NOT NULL,
        date_connected TIMESTAMP NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
        PRIMARY KEY ( provider_user, provider ),
        UNIQUE KEY user_provider ( user, provider ),
        FOREIGN KEY ( user ) REFERENCES matomo_user ( login ) ON DELETE CASCADE
    )
	ENGINE=InnoDB
	DEFAULT CHARSET=utf8mb4;
Replace the matomo_ prefix with your table prefix.

Configuration

Once activated, the plugin can be configured to use Google's OAuth 2.0 authentication system.

Here's how I've configured my Matomo instance:

Setting Value
Disable external login for super users false I'm the only user at the moment
Disable direct login URL true I'll only login through the main login page.
Create new users when users try to log in with unknown OIDC accounts true Other users in my domain can login.
Disable second factor with OIDC true Google Workspace is configured to enforce 2FA/
Name Google OAuth Login
Authorize URL https://accounts.google.com/o/oauth2/v2/auth?hd=bytemethod.ca The ?hd= URL parameter autofills my domain for the login form.
Token URL https://oauth2.googleapis.com/token
Userinfo URL https://openidconnect.googleapis.com/v1/userinfo
Logout URL Leave blank.
Userinfo ID sub
Client ID Create a Google Cloud Platform project with OAuth 2.0 credentials.
Client Secret Create a Google Cloud Platform project with OAuth 2.0 credentials.
OAuth Scopes openid email profile
Redirect URI Overide Leave blank.
Restrict domains bytemethod.ca Another layer of security that restricts logins to email addresses within my Workspace domain.

When creating a new Client ID for Web Application in the Google Cloud Platform Console, your Authorized Redirect URI will look like this:

https://matomo.example.com/index.php?module=LoginOIDC&action=callback&provider=oidc
Replace example.com with the domain your Matomo instance is located at.