Google Authenticator

Configuring Google#

To use Google accounts in the Authentication Service, you need to register it as an OAuth client in Google. To do this, add a new client in the Google Developer Console.

Create a new Project#

In the Google Developer Console, click Create project. For step by step instructions on how to create a project, refer to the Google Developer Console Help.

Give your project a name, for instance CurityLogin.

Click Create.

Configure the Consent Screen#

When a user chooses to login to the Authentication Service using their Google account, Google will show them a web page asking for their consent to share certain Google-related user data with the client. How this page looks is also configurable in the Google Developer Console.

To begin with, click Enable and manage APIs to open the API Manager. (Refer to the Setting up OAuth 2.0 section of the Google Developer Console Help for in-depth instructions.)

In the API Manager, you will find a list of all of Google’s APIs. The Authentication Service will not access any Google APIs; only credentials are needed. So you need not search for any APIs or browse through them.

Instead, click Credentials on the left side of the screen.

Then, click the OAuth Consent Screen tab.

Only Product name shown to users is mandatory, but fill in as many fields as you like.

Click Save.

Add Credentials#

Now click New credentials, and choose to create an OAuth client ID.

In this section of the setup:

• Choose Web Application;
• Add a name for the client, for instance Curity;
• The Authentication Service does not use JavaScript for OpenID Connect, so you can leave Authorized JavaScript origins empty;
• Add redirect URI as described in the The Redirect URI section below; and
• Click Create.

The new client ID and secret will be displayed. These are the credentials you need to configure the Authentication Service. Take note of them.

The Redirect URI#

The redirect URI is the URI where Google will redirect the user when the authentication is done. The URI that the Authentication Service uses is generated automatically based on configuration, and is the path to the authenticator with an added /callback. This last part of the path is only used in the communication between the Authentication Service and Google, and cannot be changed whereas the preceding components of the path can.

The form is like this:

<base-url>/<authentication-endpoint>/<authenticator-id>/callback

For example, for a server running on server1.local and a protocol of https and listening on port 8443 and having an authentication endpoint configured to be /authn/authenticate and with a Google authenticator instance called google1, the redirect URI would be:

https://server1.local:8443/authn/authenticate/google1/callback

Configuration in the Authentication Service#

The general authenticator configuration is described under authenticator configuration . This section describes the additional parameters that are available for the Google authenticator.

client_id: The OAuth 2 client ID that is registered at Google type: string mandatory

client_secret: The OAuth 2 client secret that is registered at Google type: string mandatory

scope: The scopes to ask Google for as a space-separated list type: string

clock_skew: The allowed clock-skew in seconds when validating the login token from Google type: uint32 default: 60

map-to-subject: If another claim should be used as the subject, name it here type: string

Example:

<authenticator xmlns="https://curity.se/ns/conf/profile/authentication">
    <id>google1</id>
    <google xmlns="https://curity.se/ns/conf/authenticators/google">
        <client-secret>$S3Cr3T</client-secret>
        <client-id>my-client-id.apps.googleusercontent.com</client-id>
    </google>
</authenticator>