authopenidconnect_google.html 7.14 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6 7 8 9 10 11 12
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:authopenidconnect_google</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authopenidconnect_google"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authopenidconnect_google.html"/>
<link rel="contents" href="authopenidconnect_google.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authopenidconnect_google","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#register_on_google">Register on Google</a></div></li>
<li class="level1"><div class="li"><a href="#declare_google_in_your_llng_server">Declare Google in your LL::NG server</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="google">Google</h1>
<div class="level1">

<p>
<img src="icons/kmultiple.png" class="mediacenter" alt="" />
</p>

</div>
<!-- EDIT1 SECTION "Google" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
Do you we have to present <a href="http://www.google.com" class="urlextern" title="http://www.google.com"  rel="nofollow">Google</a>? The good news is that Google is a standard OpenID Provider, and so you can easily delegate the authentication of <abbr title="LemonLDAP::NG">LL::NG</abbr> to Google: <a href="https://developers.google.com/identity/protocols/OpenIDConnect" class="urlextern" title="https://developers.google.com/identity/protocols/OpenIDConnect"  rel="nofollow">https://developers.google.com/identity/protocols/OpenIDConnect</a>
</p>
<div class="noteimportant">Google does not support logout trough OpenID Connect. If you close your session on <abbr title="LemonLDAP::NG">LL::NG</abbr> side, your Google session will still be open.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [68-507] -->
<h2 class="sectionedit3" id="register_on_google">Register on Google</h2>
<div class="level2">

<p>
You need a Google developer account to access to <a href="https://console.developers.google.com/" class="urlextern" title="https://console.developers.google.com/"  rel="nofollow">https://console.developers.google.com/</a>
</p>

<p>
Here you can go in <abbr title="Application Programming Interface">API</abbr> Manager and get new credentials (<code>client_id</code> and <code>client_secret</code>).
</p>

<p>
You need to provide the callback URLs, for example <a href="https://auth.domain.com/?openidcallback=1" class="urlextern" title="https://auth.domain.com/?openidcallback=1"  rel="nofollow">https://auth.domain.com/?openidcallback=1</a>.
</p>

</div>
<!-- EDIT3 SECTION "Register on Google" [508-818] -->
<h2 class="sectionedit4" id="declare_google_in_your_llng_server">Declare Google in your LL::NG server</h2>
<div class="level2">

<p>
Go in Manager and create a new OpenID Connect provider. You can call it <code>google</code> for example.
</p>

<p>
Click on <code>Metadata</code>, and use the OpenID Connect configuration <abbr title="Uniform Resource Locator">URL</abbr> to load them: <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration"  rel="nofollow">https://accounts.google.com/.well-known/openid-configuration</a>.
</p>

<p>
You can also load the JWKS data from the <abbr title="Uniform Resource Locator">URL</abbr> <a href="https://www.googleapis.com/oauth2/v3/certs" class="urlextern" title="https://www.googleapis.com/oauth2/v3/certs"  rel="nofollow">https://www.googleapis.com/oauth2/v3/certs</a>. But as Google rotate their keys, we will also configure a refresh interval on JKWS data.
</p>

<p>
Go in <code>Exported attributes</code> to choose which attributes you want to collect. Google supports these claims:
</p>
<ul>
<li class="level1"><div class="li"> email</div>
</li>
<li class="level1"><div class="li"> email_verified</div>
</li>
<li class="level1"><div class="li"> family_name</div>
</li>
<li class="level1"><div class="li"> given_name</div>
</li>
<li class="level1"><div class="li"> locale</div>
</li>
<li class="level1"><div class="li"> name</div>
</li>
<li class="level1"><div class="li"> picture</div>
</li>
<li class="level1"><div class="li"> sub</div>
</li>
</ul>

<p>
Now go in <code>Options</code>:
</p>
<ul>
<li class="level1"><div class="li"> In <code>Configuration</code>, register the <code>client_id</code> and <code>client_secret</code> given by Google. Set also the configuration <abbr title="Uniform Resource Identifier">URI</abbr> with <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration"  rel="nofollow">https://accounts.google.com/.well-known/openid-configuration</a>, and JWKS refresh, for example every day: 86400.</div>
</li>
<li class="level1"><div class="li"> In <code>Protocol</code>, adapt the <code>scope</code> to the exported attributes you want. You can for example use <code>openid profile email</code>.</div>
</li>
<li class="level1"><div class="li"> In <code>Display</code>, you can set the name and the logo</div>
</li>
</ul>

</div>
<!-- EDIT4 SECTION "Declare Google in your LL::NG server" [819-] --></div>
</body>
</html>