I’m trying to setup authentication with Dex and google authentication. I used the following to try to piece together the proper settings in ood_portal.yml
However when I browse to https://myserver:5554/auth I get Invalid client_id (“”)
I can verify the SSL configuration is fine because when I browse to the .well-known/openid-configuration
for my server it properly displays the information.
My configuration for auth/dex in ood_portal.yml looks like:
# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
- 'AuthType openid-connect'
- 'Require valid-user'
# Dex configurations, values inside the "dex" structure are directly used to configure Dex
# If the value for "dex" key is false or null, Dex support is disabled
# Dex support will auto-enable if ondemand-dex package is installed
# Default based on if ssl key for ood-portal-generator is defined
# Only used if SSL is disabled
# http_port: "5556"
# Only used if SSL is enabled
# https_port: "5554"
# tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
# tls_cert: null
# tls_key: null
# storage_file: /etc/ood/dex/dex.db
# grpc: null
# expiry: null
# Client ID, defaults to servername or FQDN
# Client secret, value auto generated
# A value that is a filesystem path can be used to store secret in a file
# The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
# client_redirect_uris: 
# Additional Dex OIDC clients to configure
# static_clients: 
# The following example is to configure OpenLDAP
# Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
- type: google
Any help would be greatly appreciated
Hello and welcome!
Sorry for the troubles. I wanted to check first that you are also using the install docs for OIDC here:
That said, our docs only cover LDAP and I know nothing around google’s product offerings for this.
@jeff.ohrstrom or @gbyrket would either of you have knowledge about this?
I assume you’ve already setup the Google OAuth client. We may hardcode/expect some defaults for Dex so it may not work for you at all to run this through Dex.
I’d suggest you use
oidc directly instead of using Dex.
I actually did this years ago and just looked mine up. When you setup a client, they give you an ID and a secret
Then configure apache to use those 2
And googles metadata url.
It’s fairly straightforward from there. Google’s just like any other OIDC provider, especially after you obtain a secret, id and know the metadata url.
Then of course you need to map the google users back to your local users. google will return a strange google account id for a user and you’ll have to map it to a Linux user.
Yes that’s the documentation I’m using
Thanks for that info. I’ll work through that and update the ticket as necessary
Thank you for your assistance. I was able to get this working based on the suggestions provided from Jeff. For anyone else who may want to set this up here our solution:
- Setup a new Oath2 client through the Google API console based on step 1 and 2 of these instructions
Google APi instructions
- Configure ood_portal.yml to use OIDC only (no Dex) as follows:
- 'AuthType openid-connect'
- 'Require valid-user'
# Script to map users.
# Must use this one for Google
# Use values generated by Google API in step 1 above
# If using this then in the Google API console for your client
# You need to add: https://<yourserver>/oidc under the Authorized redirect URIs section
oidc_scope: "openid profile email"
# We used email to make it easier to map our users to a Linux user since we
# didn't have a good way to map the Google ID number
OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"
# We kept the defaults for many of the other OIDC components like
# oidc_state_max_number_of_cookies: "10 true"
Again if you set the oidc_uri then you must go into the Google API, choose your OpenOnDemand credential and add https:///oidc to the Authorized redirect URIs section
- Create a script to map the user returned from Google to an actual Linux user. Since we decided to do it based on the user email our script looks like:
# Initially we had @school.edu as part of the regular expression
# But the script failed and the error indicated that instead of @,
# %40school.edu was being returned from Google
if [[ $INPUT_USER =~ $REX ]]; then
echo "$MATCH" | tr '[:upper:]' '[:lower:]'
# can't write to standard out or error, so let's use syslog
logger -t 'ood-mapping' "cannot map $INPUT_USER"
# and exit 1
- Rebuild the portal, restart httpd (or whatever you are running). Then browse to your server and you should be asked to login through Google (or if you are already logged in it should redirect you back to your OOD server)
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.