You are here:

Google OpenID

The following guide is to help the deployment of an Google OpenID configuration as the authentication provider for Pyramid. Google is not that different to generic OpenID, but there are some key aspects that are unique.

Note: This feature is available with Enterprise licensing only.

Google OpenID Setup

Setup new OpenID Project

Go to the Google Cloud Console: https://console.cloud.google.com/

Here, create a Project (or select an existing one)

Click the project dropdown at the top > New Project

Give it a name, then click Create

Enable OAuth Consent

Go to the sidebar > APIs & Services > OAuth consent screen.

Make sure that the user type is set to External in the Audience tab.

Fill out the app name, support email, and authorized domain (e.g. yourapp.com)

Save and continue. Skip "Scopes" unless it is needed.

Create OAuth 2.0 Credentials

Go to APIs & Services > Credentials

Then click on APIs & Services > Credentials

Then click on "+ Create Credentials" > OAuth client ID

Then choose Web Application as the application type.

Set the name.

JavaScript Origins

Optionally add authorized JavaScript origins by adding:

http://localhost:3000
https://yourdomain.com

This is required if you're using the "popup" flow. Is should not be needed for redirect-based flows.

Set Redirect URIs

Next click “Create” and you should see:

• Client ID

• Client Secret

You also have an option to download the credentials as a JSON.

Setting the provider up in Pyramid

Open authentication manager in the Pyramid admin console: Pyramid Admin>Security>Authentication, click the Change Provider button.

Take all the setup information from the previous steps to fill in this form:

Endpoint URL- this setting is global for all the google projects, it should look like this: https://accounts.google.com/o/oauth2/v2/auth
Client ID- you can get it from the JSON you downloaded.
Redirect URL- you can get it from the JSON you downloaded
Logout URL- you can get it from the JSON you downloaded
JSON Web Keys URI- Google uses a global URL to hold its keys, this is the URL: https://www.googleapis.com/oauth2/v3/certs

User Provisioning Setup

The Google OpenID provider can be used for auto provisioning in Pyramid. Click here for more details.

Save your changes

Click Apply to start the provider change over process. At this stage, the existing users attached to the previous authentication system need to be converted over.

Admins will be prompted to either:

Delete all existing users and delete their content
Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.

For a detailed explanation and walk-through, click here to see User Conversion

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work