The following guide is to help the deployment of an Google OpenID configuration as the authentication provider for Pyramid. Google is not that different to generic OpenID, but there are some key aspects that are unique.
Note: This feature is only available with Enterprise licensing.
Google OpenID Setup
Setup new OpenID Project
Go to the Google Cloud Console: https://console.cloud.google.com/
Here, do one of the following:
- Create a new project, by clicking the project drop-down at the top of the page and selecting New Project. Give your new project a name, then click Create.
- Select an existing project.
Enable OAuth Consent
Go to the sidebar and select APIs & Services > OAuth Consent screen.
Make sure that the user type is set to External in the Audience tab.
Fill out the app name, support email, and authorized domain (for example, yourapp.com)
Save and continue. Skip "Scopes" unless it is needed.
Create OAuth 2.0 Credentials
Go to APIs & Services > Credentials:
Then click + Create Credentials and select OAuth client ID:
Choose Web Application as the application type.
Set the name.
JavaScript Origins
Optionally add authorized JavaScript origins by adding:
- http://localhost:3000
- https://yourdomain.com
This is required if you're using the "pop up" flow. Is should not be needed for redirect-based flows.
Set Redirect URIs
Next click “Create” and you should see:
• Client ID
• Client Secret
You also have an option to download the credentials as a JSON.
Setting the provider up in Pyramid
- In the Admin Console, click Security > Authentication.
- From the top-right of the page, click Change Provider.
The Authentication Provider page opens with the details of your current Authentication Provider displayed.
The Change Provider page opens. You will copy the details of your new authentication provider into this page, starting by selecting your Provider.
Take all the setup information from the previous steps to fill in this form:
- Endpoint URL- this setting is global for all the Google projects, it should look like this: https://accounts.google.com/o/oauth2/v2/auth
- Client ID- you can get it from the JSON you downloaded.
- Redirect URL- you can get it from the JSON you downloaded
- Logout URL- you can get it from the JSON you downloaded
- JSON Web Keys URI- Google uses a global URL to hold its keys, this is the URL: https://www.googleapis.com/oauth2/v3/certs
User Provisioning Setup
The Google OpenID provider can be used for auto provisioning in Pyramid. If you want to use auto provisioning, you will need to set up the app and then specify its settings on the Provider Provisioning tab (green arrow above). For more information, see Google User Provisioning.
Save your changes
Click Apply to start the provider change-over process. At this stage, the existing users (attached to the previous authentication system) need to be converted over.
Admins will be prompted to either:
- Delete all existing users and their local content. When users are deleted by this process, all their private data (the discoveries, publications, and so on that are stored in their My Content Folder) is "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
- Convert old users to the new provider (through the user conversion wizard), and keep their content
Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.
- Click here for a detailed explanation and walkthrough of User Conversion