SSO Google
Example Configuration:
[service.local] protocol = "http" policy = "failover" admins = ["admin"] [service.local.credential] username = "user" password = "password" [[service.local.targets]] hostname = "b2bmft.stonebranch.com" port = 9180
Google Auth
Create a new Project under your google account: https://console.cloud.google.com/projectcreate
Create a new Credential for the service: https://console.cloud.google.com/apis/credentials
From the menu Create Credentials Select OAuth Client ID.
The application type must be: Web Application
Under the Authorized redirect URIs, put the exact url where the proxy will be. For example:
https://<fqnd>:<port>/service/auth/sso/google/callback
Configure your application.
After you complete the form, copy the following field or download the json
file where you will have the credentials needed to prepare our setup.
Create the following instance under your service with the path related to the configuration file
[service.local.auth.google] file = "sso-google-udmg.json"
Create the following file with the values from the file
{ "clientID": "client-id", "clientSecret": "client-server", "redirectURI": "<http-fqdn>/service/auth/sso/google/callback", "hostedDomains": ["domain.com"] }
If you are going to use a public domain, like @gmail.com don't setup the hostedDomains, since the hd parameter in the callback will be empty.
OpenID
https://console.cloud.google.com/apis/credentials
[service.local.auth.oidc] file = "openid-config.json"
{ "issuer": "https://accounts.google.com", "clientID": "<client-id>", "clientSecret": "<client-secret-id>", "redirectURI": "https://<fqdn>/service/auth/sso/openid/callback" }
OAuth2
In the case of OAuth2 with Google Provider, you will need to grant some extra scopes. Since by default the email is not in the payload.
In order to grant the scopes, you will need to edit the App
Under the scope step
Grant the follow scopes
After Update the scopes you should see listed under Your non-sensitive scopes
[service.local.auth.oauth] file = "oauth-config.json"
{ "issuer": "https://accounts.google.com", "clientID": "<client-id>", "clientSecret": "<client-secret-id>", "redirectURI": "https://<fqdn>/service/auth/sso/oauth/callback", "tokenURL": "https://oauth2.googleapis.com/token", "authorizationURL": "https://accounts.google.com/o/oauth2/auth", "scopes": ["profile"], "insecureSkipVerify": true, "userInfoURL": "https://www.googleapis.com/oauth2/v3/userinfo", "userIDKey": "sub" }
Google provider offers a setup for Oauth2.