I’m trying to setup authentication with Dex and google authentication. I used the following to try to piece together the proper settings in ood_portal.yml
However when I browse to https://myserver:5554/auth I get Invalid client_id (“”)
I can verify the SSL configuration is fine because when I browse to the .well-known/openid-configuration
for my server it properly displays the information.
My configuration for auth/dex in ood_portal.yml looks like:
# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
auth:
- 'AuthType openid-connect'
- 'Require valid-user'
# Dex configurations, values inside the "dex" structure are directly used to configure Dex
# If the value for "dex" key is false or null, Dex support is disabled
# Dex support will auto-enable if ondemand-dex package is installed
dex:
# Default based on if ssl key for ood-portal-generator is defined
ssl: true
# Only used if SSL is disabled
# http_port: "5556"
# Only used if SSL is enabled
# https_port: "5554"
# tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
# tls_cert: null
# tls_key: null
# storage_file: /etc/ood/dex/dex.db
# grpc: null
# expiry: null
# Client ID, defaults to servername or FQDN
client_id: rcs-grid.fandm.edu
client_name: OnDemand
# Client secret, value auto generated
# A value that is a filesystem path can be used to store secret in a file
client_secret: /etc/ood/dex/ondemand.secret
# The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
# client_redirect_uris: []
# Additional Dex OIDC clients to configure
# static_clients: []
# The following example is to configure OpenLDAP
# Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
connectors:
- type: google
id: google
name: Google
config:
clientID: /etc/ood/dex/ondemand.id
clientSecret: /etc/ood/dex/ondemand.secret
redirectURI: https://127.0.0.1:5554/callback
I assume you’ve already setup the Google OAuth client. We may hardcode/expect some defaults for Dex so it may not work for you at all to run this through Dex.
I’d suggest you use oidc directly instead of using Dex.
I actually did this years ago and just looked mine up. When you setup a client, they give you an ID and a secret
It’s fairly straightforward from there. Google’s just like any other OIDC provider, especially after you obtain a secret, id and know the metadata url.
Then of course you need to map the google users back to your local users. google will return a strange google account id for a user and you’ll have to map it to a Linux user.
Thank you for your assistance. I was able to get this working based on the suggestions provided from Jeff. For anyone else who may want to set this up here our solution:
Setup a new Oath2 client through the Google API console based on step 1 and 2 of these instructions Google APi instructions
After creating the new client ID, click on it and add server to the section labeled Authorized JavaScript origins. Note that I believe the server address must use HTTPS. If you use a special port then you must include the port as well
Configure ood_portal.yml to use OIDC only (no Dex) as follows:
auth:
- 'AuthType openid-connect'
- 'Require valid-user'
# Script to map users.
user_map_cmd: 'etc/ood/config/user_mapping.sh'
# Must use this one for Google
oidc_provider_metadata_url: "https://accounts.google.com/.well-known/openid-configuration"
# Use values generated by Google API in step 1 above
oidc_client_id: 99999999999999.googleusercontent.com
oidc_client_secret: GOPHER-encs87fgdgshWxX9b4TBBy-F
# If using this then in the Google API console for your client
# You need to add: https://<yourserver>/oidc under the Authorized redirect URIs section
oidc_uri: '/oidc'
oidc_scope: "openid profile email"
# We used email to make it easier to map our users to a Linux user since we
# didn't have a good way to map the Google ID number
oidc_remote_user_claim: email
oidc_settings:
OIDCPassIDTokenAs: "serialized"
OIDCPassRefreshToken: "On"
OIDCPassClaimsAs: "environment"
OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"
logout_redirect: '/oidc?logout=https%3A%2F%2Fyourserver.edu'
# We kept the defaults for many of the other OIDC components like
# oidc_state_max_number_of_cookies: "10 true"
Again if you set the oidc_uri then you must go into the Google API, choose your OpenOnDemand credential and add https:///oidc to the Authorized redirect URIs section
Create a script to map the user returned from Google to an actual Linux user. Since we decided to do it based on the user email our script looks like:
#!/bin/bash
# Initially we had @school.edu as part of the regular expression
# But the script failed and the error indicated that instead of @,
# %40school.edu was being returned from Google
REX="([^@]+)\%40school.edu"
INPUT_USER="$1"
if [[ $INPUT_USER =~ $REX ]]; then
MATCH="${BASH_REMATCH[1]}"
echo "$MATCH" | tr '[:upper:]' '[:lower:]'
else
# can't write to standard out or error, so let's use syslog
logger -t 'ood-mapping' "cannot map $INPUT_USER"
# and exit 1
exit 1
fi
Rebuild the portal, restart httpd (or whatever you are running). Then browse to your server and you should be asked to login through Google (or if you are already logged in it should redirect you back to your OOD server)