Dex with Google Authentication

I’m trying to setup authentication with Dex and google authentication. I used the following to try to piece together the proper settings in ood_portal.yml

Dex documentation


Google documentation

However when I browse to https://myserver:5554/auth I get Invalid client_id (“”)
I can verify the SSL configuration is fine because when I browse to the .well-known/openid-configuration
for my server it properly displays the information.

My configuration for auth/dex in ood_portal.yml looks like:

# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
  - 'AuthType openid-connect'
  - 'Require valid-user'

# Dex configurations, values inside the "dex" structure are directly used to configure Dex
# If the value for "dex" key is false or null, Dex support is disabled
# Dex support will auto-enable if ondemand-dex package is installed
  # Default based on if ssl key for ood-portal-generator is defined
  ssl: true
  # Only used if SSL is disabled
#  http_port: "5556"
  # Only used if SSL is enabled
#  https_port: "5554"
  # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
#  tls_cert: null
#  tls_key: null
#  storage_file: /etc/ood/dex/dex.db
#  grpc: null
#  expiry: null
   # Client ID, defaults to servername or FQDN
  client_name: OnDemand
  # Client secret, value auto generated
  # A value that is a filesystem path can be used to store secret in a file
  client_secret: /etc/ood/dex/ondemand.secret
   # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
#  client_redirect_uris: []
# Additional Dex OIDC clients to configure
#  static_clients: []
  # The following example is to configure OpenLDAP
  # Docs:
    - type: google
      id: google
      name: Google
         clientID: /etc/ood/dex/
         clientSecret: /etc/ood/dex/ondemand.secret

Any help would be greatly appreciated

Hello and welcome!

Sorry for the troubles. I wanted to check first that you are also using the install docs for OIDC here:

That said, our docs only cover LDAP and I know nothing around google’s product offerings for this.

@jeff.ohrstrom or @gbyrket would either of you have knowledge about this?

I assume you’ve already setup the Google OAuth client. We may hardcode/expect some defaults for Dex so it may not work for you at all to run this through Dex.

I’d suggest you use oidc directly instead of using Dex.

I actually did this years ago and just looked mine up. When you setup a client, they give you an ID and a secret

Then configure apache to use those 2

And googles metadata url.

oidc_provider_metadata_url: ""

It’s fairly straightforward from there. Google’s just like any other OIDC provider, especially after you obtain a secret, id and know the metadata url.

Then of course you need to map the google users back to your local users. google will return a strange google account id for a user and you’ll have to map it to a Linux user.

Yes that’s the documentation I’m using


Thanks for that info. I’ll work through that and update the ticket as necessary


Thank you for your assistance. I was able to get this working based on the suggestions provided from Jeff. For anyone else who may want to set this up here our solution:

  1. Setup a new Oath2 client through the Google API console based on step 1 and 2 of these instructions
    Google APi instructions
  2. After creating the new client ID, click on it and add server to the section labeled Authorized JavaScript origins. Note that I believe the server address must use HTTPS. If you use a special port then you must include the port as well
  3. Configure ood_portal.yml to use OIDC only (no Dex) as follows:
  - 'AuthType openid-connect'
  - 'Require valid-user'

# Script to map users.
user_map_cmd: 'etc/ood/config/'

# Must use this one for Google
oidc_provider_metadata_url: ""

# Use values generated by Google API in step 1 above
oidc_client_secret: GOPHER-encs87fgdgshWxX9b4TBBy-F

# If using this then in the Google API console for your client 
# You need to add: https://<yourserver>/oidc under the Authorized redirect URIs section
oidc_uri: '/oidc'

oidc_scope: "openid profile email"

# We used email to make it easier to map our users to a Linux user since we
# didn't have a good way to map the Google ID number 
oidc_remote_user_claim: email

  OIDCPassIDTokenAs: "serialized"
  OIDCPassRefreshToken: "On"
  OIDCPassClaimsAs: "environment"
  OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"

logout_redirect: '/oidc?'

# We kept the defaults for many of the other OIDC components like
# oidc_state_max_number_of_cookies: "10 true"

Again if you set the oidc_uri then you must go into the Google API, choose your OpenOnDemand credential and add https:///oidc to the Authorized redirect URIs section

  1. Create a script to map the user returned from Google to an actual Linux user. Since we decided to do it based on the user email our script looks like:

# Initially we had as part of the regular expression
# But the script failed and the error indicated that instead of @,
# was being returned from Google

if [[ $INPUT_USER =~ $REX ]]; then
  echo "$MATCH" | tr '[:upper:]' '[:lower:]'
  # can't write to standard out or error, so let's use syslog
  logger -t 'ood-mapping' "cannot map $INPUT_USER"

  # and exit 1
  exit 1
  1. Rebuild the portal, restart httpd (or whatever you are running). Then browse to your server and you should be asked to login through Google (or if you are already logged in it should redirect you back to your OOD server)

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.