go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-25 00:47:17 +02:00
Code Issues Releases Activity
Files
gh-pages
oauth2-proxy/assets/js/ecdf535b.9b867be1.js
github-actions[bot] 84f5f920fa Update documentation based on 76bc2cf73f
2023-10-31 19:34:53 +00:00

1 line
10 KiB
JavaScript
Raw Permalink Blame History

"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[5381],{3905:function(e,t,o){o.d(t,{Zo:function(){return c},kt:function(){return h}});var n=o(7294);function r(e,t,o){return t in e?Object.defineProperty(e,t,{value:o,enumerable:!0,configurable:!0,writable:!0}):e[t]=o,e}function a(e,t){var o=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),o.push.apply(o,n)}return o}function i(e){for(var t=1;t<arguments.length;t++){var o=null!=arguments[t]?arguments[t]:{};t%2?a(Object(o),!0).forEach((function(t){r(e,t,o[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(o)):a(Object(o)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(o,t))}))}return e}function l(e,t){if(null==e)return{};var o,n,r=function(e,t){if(null==e)return{};var o,n,r={},a=Object.keys(e);for(n=0;n<a.length;n++)o=a[n],t.indexOf(o)>=0||(r[o]=e[o]);return r}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(n=0;n<a.length;n++)o=a[n],t.indexOf(o)>=0||Object.prototype.propertyIsEnumerable.call(e,o)&&(r[o]=e[o])}return r}var p=n.createContext({}),s=function(e){var t=n.useContext(p),o=t;return e&&(o="function"==typeof e?e(t):i(i({},t),e)),o},c=function(e){var t=s(e.components);return n.createElement(p.Provider,{value:t},e.children)},d="mdxType",u={inlineCode:"code",wrapper:function(e){var t=e.children;return n.createElement(n.Fragment,{},t)}},m=n.forwardRef((function(e,t){var o=e.components,r=e.mdxType,a=e.originalType,p=e.parentName,c=l(e,["components","mdxType","originalType","parentName"]),d=s(o),m=r,h=d["".concat(p,".").concat(m)]||d[m]||u[m]||a;return o?n.createElement(h,i(i({ref:t},c),{},{components:o})):n.createElement(h,i({ref:t},c))}));function h(e,t){var o=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var a=o.length,i=new Array(a);i[0]=m;var l={};for(var p in t)hasOwnProperty.call(t,p)&&(l[p]=t[p]);l.originalType=e,l[d]="string"==typeof e?e:r,i[1]=l;for(var s=2;s<a;s++)i[s]=o[s];return n.createElement.apply(null,i)}return n.createElement.apply(null,o)}m.displayName="MDXCreateElement"},4804:function(e,t,o){o.r(t),o.d(t,{assets:function(){return c},contentTitle:function(){return p},default:function(){return h},frontMatter:function(){return l},metadata:function(){return s},toc:function(){return d}});var n=o(7462),r=o(3366),a=(o(7294),o(3905)),i=["components"],l={id:"google",title:"Google (default)"},p=void 0,s={unversionedId:"configuration/providers/google",id:"configuration/providers/google",title:"Google (default)",description:"For Google, the registration steps are:",source:"@site/docs/configuration/providers/google.md",sourceDirName:"configuration/providers",slug:"/configuration/providers/google",permalink:"/oauth2-proxy/docs/next/configuration/providers/google",draft:!1,editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/google.md",tags:[],version:"current",frontMatter:{id:"google",title:"Google (default)"},sidebar:"docs",previous:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/providers/"},next:{title:"Azure",permalink:"/oauth2-proxy/docs/next/configuration/providers/azure"}},c={},d=[{value:"Restrict auth to specific Google groups on your domain. (optional)",id:"restrict-auth-to-specific-google-groups-on-your-domain-optional",level:4},{value:"Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)",id:"using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended",level:5}],u={toc:d},m="wrapper";function h(e){var t=e.components,o=(0,r.Z)(e,i);return(0,a.kt)(m,(0,n.Z)({},u,o,{components:t,mdxType:"MDXLayout"}),(0,a.kt)("p",null,"For Google, the registration steps are:"),(0,a.kt)("ol",null,(0,a.kt)("li",{parentName:"ol"},"Create a new project: ",(0,a.kt)("a",{parentName:"li",href:"https://console.developers.google.com/project"},"https://console.developers.google.com/project")),(0,a.kt)("li",{parentName:"ol"},"Choose the new project from the top right project dropdown (only if another project is selected)"),(0,a.kt)("li",{parentName:"ol"},"In the project Dashboard center pane, choose ",(0,a.kt)("strong",{parentName:"li"},'"APIs & Services"')),(0,a.kt)("li",{parentName:"ol"},"In the left Nav pane, choose ",(0,a.kt)("strong",{parentName:"li"},'"Credentials"')),(0,a.kt)("li",{parentName:"ol"},"In the center pane, choose ",(0,a.kt)("strong",{parentName:"li"},'"OAuth consent screen"')," tab. Fill in ",(0,a.kt)("strong",{parentName:"li"},'"Product name shown to users"')," and hit save."),(0,a.kt)("li",{parentName:"ol"},"In the center pane, choose ",(0,a.kt)("strong",{parentName:"li"},'"Credentials"')," tab.",(0,a.kt)("ul",{parentName:"li"},(0,a.kt)("li",{parentName:"ul"},"Open the ",(0,a.kt)("strong",{parentName:"li"},'"New credentials"')," drop down"),(0,a.kt)("li",{parentName:"ul"},"Choose ",(0,a.kt)("strong",{parentName:"li"},'"OAuth client ID"')),(0,a.kt)("li",{parentName:"ul"},"Choose ",(0,a.kt)("strong",{parentName:"li"},'"Web application"')),(0,a.kt)("li",{parentName:"ul"},"Application name is freeform, choose something appropriate"),(0,a.kt)("li",{parentName:"ul"},"Authorized JavaScript origins is your domain ex: ",(0,a.kt)("inlineCode",{parentName:"li"},"https://internal.yourcompany.com")),(0,a.kt)("li",{parentName:"ul"},"Authorized redirect URIs is the location of oauth2/callback ex: ",(0,a.kt)("inlineCode",{parentName:"li"},"https://internal.yourcompany.com/oauth2/callback")),(0,a.kt)("li",{parentName:"ul"},"Choose ",(0,a.kt)("strong",{parentName:"li"},'"Create"')))),(0,a.kt)("li",{parentName:"ol"},"Take note of the ",(0,a.kt)("strong",{parentName:"li"},"Client ID")," and ",(0,a.kt)("strong",{parentName:"li"},"Client Secret"))),(0,a.kt)("p",null,"It's recommended to refresh sessions on a short interval (1h) with ",(0,a.kt)("inlineCode",{parentName:"p"},"cookie-refresh")," setting which validates that the\naccount is still authorized."),(0,a.kt)("h4",{id:"restrict-auth-to-specific-google-groups-on-your-domain-optional"},"Restrict auth to specific Google groups on your domain. (optional)"),(0,a.kt)("ol",null,(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Create a ",(0,a.kt)("a",{parentName:"p",href:"https://developers.google.com/identity/protocols/OAuth2ServiceAccount"},"service account")," and configure it\nto use ",(0,a.kt)("a",{parentName:"p",href:"#using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended"},"Application Default Credentials / Workload Identity / Workload Identity Federation (recommended)")," or,\nalternatively download the JSON.")),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Make note of the Client ID for a future step.")),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},'Under "APIs & Auth", choose APIs.')),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Click on Admin SDK and then Enable API.")),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Follow the steps on ",(0,a.kt)("a",{parentName:"p",href:"https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account"},"https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account"),"\nand give the client id from step 2 the following oauth scopes:"),(0,a.kt)("pre",{parentName:"li"},(0,a.kt)("code",{parentName:"pre"},"https://www.googleapis.com/auth/admin.directory.group.readonly\nhttps://www.googleapis.com/auth/admin.directory.user.readonly\n"))),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Follow the steps on ",(0,a.kt)("a",{parentName:"p",href:"https://support.google.com/a/answer/60757"},"https://support.google.com/a/answer/60757")," to enable Admin API access.")),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Create or choose an existing administrative email address on the Gmail domain to assign to the ",(0,a.kt)("inlineCode",{parentName:"p"},"google-admin-email"),"\nflag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from\nstep 5 for the reason why.")),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Create or choose an existing email group and set that email to the ",(0,a.kt)("inlineCode",{parentName:"p"},"google-group")," flag. You can pass multiple instances\nof this flag with different groups and the user will be checked against all the provided groups."))),(0,a.kt)("p",null,"(Only if using a JSON file (see step 1))\n9. Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and\nset the path to the file in the ",(0,a.kt)("inlineCode",{parentName:"p"},"google-service-account-json")," flag.\n10. Restart oauth2-proxy."),(0,a.kt)("p",null,"Note: The user is checked against the group members list on initial authentication and every time the token is\nrefreshed ( about once an hour )."),(0,a.kt)("h5",{id:"using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended"},"Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)"),(0,a.kt)("p",null,"oauth2-proxy can make use of ",(0,a.kt)("a",{parentName:"p",href:"https://cloud.google.com/docs/authentication/application-default-credentials"},"Application Default Credentials"),".\nWhen deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC\ncan be leveraged through a feature called Workload Identity. Follow Google's ",(0,a.kt)("a",{parentName:"p",href:"https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity"},"guide"),"\nto set up Workload Identity."),(0,a.kt)("p",null,"When deployed outside of GCP, ",(0,a.kt)("a",{parentName:"p",href:"https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif"},"Workload Identity Federation")," might be an option."))}h.isMDXComponent=!0}}]);
Reference in New Issue View Git Blame Copy Permalink