Integration guide: Google
You can integrate Google’s OpenID Connect implementation with Morio to act as an identity provider.
This allows people to use their Google account to authenticate to Morio. To do so, you need to configure an OpenID Connect identity provider with Google as the backing OpenID provider.
To do so requires configuring a project in Google’s console, and then using the details of that project to set up a new identity provider in Morio. You also need to ensure Morio can talk HTTPS to Google’s servers.
Ensure connectivity
For this to work, Morio needs access to Google’s servers on TCP port 443 (HTTPS).
Create an app in the Google Cloud Console
Create the project for the app
In the Google Cloud Console, create a new project.
Create the app itself
- Navigate to APIs & Services and click on OAuth Consent Screen
- Set the user type to:
- Internal if your organisation uses Google as its provider for email and other services, and you want to limit access to people inside that organisation.
- External if you want to allow anyone with a Google account to authenticate.
The Edit App registration view will load, allowing you to further complete the configuration:
- Under App Information:
- App name: This will be shown to the user, so make it meaningful.
Morio
is always a good idea. - User support email: Select your email address, or the email address your users should use for support.
- App name: This will be shown to the user, so make it meaningful.
- App Logo: You can upload a logo for the application. Might we suggest the Morio logo?
- Under App Domain:
- Set Application home page to the base URL of your Morio instance or
cluster. For example:
https://morio.my-company.com/
- Set Application privacy policy to the same URL unless you have a specific privacy policy URL.
- Set Application terms of service to the same URL unless you have a specific terms of service URL.
- Set Application home page to the base URL of your Morio instance or
cluster. For example:
- Under Authorised domain Add the top domain your Morio is hosted under.
For example:
my-company.com
. - Under Developer contact information enter your email address.
When everything is filled in, click the Save and Continue button.
Configure the scopes for the app
Now the Scopes screen will load.
- Click the Add or Remove Scopes button
- Select the
openid
scope and click Update
With the openid
scope added to Your non-sensitive scopes click the Save
and Continue button.
Configure test users for your app
If this is a public app, your app will initially be published with a testing
status during which time only pre-defined users can use (or test) the app.
Click the Add Users button and add your own Google email, or those of other users you want to be able to test that app.
Create an OAuth client ID
- Click on Credentials and then click the Create Credentials button, and select OAuth Client ID from the drop down menu.
- Under Application Type choose Web application
- Give it a Name. This name is for display in the console, it will not be
shown to users. Use
morio
when you’re not sure what to use. - Under Authorised redirect URIs:
- Enter
https://your-morio-fqdn/-/api/callback/oidc/google
whereyour-morio-fqdn
is the of your Morio instance, andgoogle
is the ID of the identity provider we will create below. - If you have more than 1 broker node, enter the URL for each node on its own line, and also add a line for a similar URL using the cluster .
- Enter
Click the Create button to create the OAuth client ID.
Copy the Client ID and Client secret for use below.
Your app is in test. You’ll need to submit it for review when you have verified everything is OK.
Create a new identity provider in Morio
Next, you need to add a new identity provider to Morio, specifically, an OpenID Connect identity provider.
Below is an example configuration:
iam:
providers:
google: # You can choose the ID of the oidc provider instance
provider: oidc # You cannot choose this, it must always be `oidc`
label: Google
about: Use your Google account to sign in to Morio
issuer: https://accounts.google.com
client_id: 26757689274-oa88vhi2m6jq5g4vr1sjoi4qc2a5in82.apps.googleusercontent.com
client_secret: "{{{ GOOGLE_OIDC_SECRET }}}"
username_field: email
rbac:
user:
attribute: email
regex: .
engineer:
attribute: email
list:
- mario@morio.it
- luigi@morio.it
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
google: tab
order:
google: 1
secrets:
GOOGLE_OIDC_SECRET: "Your client secret here"