Google+ OAuth 2.0 Login#
This document will explain how to use Gluu's gplus interception script to configure the Gluu Server to send users to Google for authentication.
- A Gluu Server (installation instructions);
- Google developer account with a unique ClientID and Secret.
Follow the steps below to configure the certificate authentication in the oxTrust Admin GUI.
Manage Custom Scripts>
Add Custom Scriptbutton
Fill in the form and add the Google External Authenticator Script.
Add custom properties.
Google Plus interception script requires some custom properties. Click on
Add custom properties button and add the following properties:
email, email, given_name, family_name,locale
uid,mail, givenName, sn,preferredLanguage
- gplus_client_secrets_file - It is a mandatory property that holds
the path to the application configuration file downloaded from Google
console for application. Let set that to
Setting Google App#
In order to call Google API's you will need to register as a developer and create client credentials. You can follow these instructions.
The first thing you'll need to do is create a Project on Google to obtain
client credentials. Click
Create project and enter your desired
Then click on your newly created project from the listing on the dashboard, and under the Credentials section, create a new OAuth 2.0 client ID.
Google will ask you to configure your consent screen, to add your logo and other information displayed to the user to authorize Google to release information.
Fill out the form...
origins. It should be the URI of your Gluu Server, e.g.:
Google will display the client-id and secret. Ignore that for now. Instead, download the JSON file which you are going to upload into your Gluu Server.
Edit the downloaded file and escape slashes. An example is provide below.
mygplus_client_secrets.jsonand move it in Gluu container inside
The last step is to enable Google+ API's:
- Navigate back to the Google API console
- Select project and enter project name
- Open new project
API & auth>
APImenu item in configuration navigation tree
1) gplus_deployment_type - Specify the deployment mode. It is an optional property. If this property isn't specified the script tries to find the user in the local LDAP by 'subject_identifier' claim specified in id_token. If this property has a 'map' value the script allows to map 'subject_identifier' to the local user account. If this property has an 'enroll' value the script adds a new user to the local LDAP with status 'active'. In order to map the IDP attributes to the local attributes it uses properties from both gplus_remote_attributes_list and gplus_local_attributes_list. The allowed values are map and enroll.
2) gplus_remote_attributes_list - Comma-separated list of attribute
names (user claims) that Google+ returns which map to local attributes
gplus_local_attributes_list property. It is mandatory only if
gplus_deployment_type is set to 'enroll'.
3) gplus_local_attributes_list - Comma-separated list of Gluu Server
LDAP attribute names that are mapped to Google user claims from the
gplus_remote_attributes_list property. It is mandatory only if
gplus_deployment_type is set to 'enroll'.
4) extension_module - Optional property to specify the full path of an external module that implements two methods:
# This is called when the authentication script initializes def init(conf_attr): # Code here return True/False # This is called after authentication def postLogin(conf_attr, user): # Code here return True # or return False
5) gplus_client_configuration_attribute - Optional property to
specify the client entry attribute name which can override
gplus_client_secrets_file file content. It can be used in cases when
all clients should use a separate
One simple way to test the configuration is to use oxTrust (using an incognito browser!). In oxTrust, navigate to
Manage Authentication >
Default Authentication Method and set the
oxTrust ACR field to the new custom authentication script, e.g.
After you logout and navigate back to the login page, you should be presented with a new login form that has the Google login button:
After clicking the Google login button, you are presented for authorization--Google needs to make sure its ok to release attributes to the Gluu Server:
If the script doesn't work, and you locked yourself out of oxTrust, don't worry! Refer to Reverting authentication method
If things go wrong, it can leave the sessions in your browser in a bad state. If things get really weird, remove the cookies in your browser for the hostname of your Gluu Server.