Skip to main content

Integration guide: Google

You can integrate Google’s OpenID Connect implementation with Morio to act as an identity provider.

This allows people to use their Google account to authenticate to Morio. To do so, you need to configure an OpenID Connect identity provider with Google as the backing OpenID provider.

To do so requires configuring a project in Google’s console, and then using the details of that project to set up a new identity provider in Morio. You also need to ensure Morio can talk HTTPS to Google’s servers.

Ensure connectivity

For this to work, Morio needs access to Google’s servers on TCP port 443 (HTTPS).

Create an app in the Google Cloud Console

Create the project for the app

In the Google Cloud Console create a new project.

Create the app itself

  • Navigate to APIs & Services and click on OAuth Consent Screen
  • Set the user type to:
    • Internal if your organisation uses Google as its provider for email and other services, and you want to limit access to people inside that organisation.
    • External if you want to allow anyone with a Google account to authenticate.

The Edit App registration view will load, allowing you to further complete the configuration:

  • Under App Information:
    • App name: This will be shown to the user, so make it meaningful. Morio is always a good idea.
    • User support email: Select your email address, or the email address your users should use for support.
  • App Logo: You can upload a logo for the application. Might we suggest the Morio logo?
  • Under App Domain:
    • Set Application home page to the base URL of your Morio instance or cluster. For example: https://morio.my-company.com/
    • Set Application privacy policy to the same URL unless you have a specific privacy policy URL.
    • Set Application terms of service to the same URL unless you have a specific terms of service URL.
  • Under Authorised domain Add the top domain your Morio is hosted under. For example: my-company.com.
  • Under Developer contact information enter your email address.

When everything is filled in, click the Save and Continue button.

Configure the scopes for the app

Now the Scopes screen will load.

  • Click the Add or Remove Scopes button
  • Select the openid scope and click Update

With the openid scope added to Your non-sensitive scopes click the Save and Continue button.

Configure test users for your app

If this is a public app, your app will initially be published with a testing status during which time only pre-defined users can use (or test) the app.

Click the Add Users button and add your own Google email, or those of other users you want to be able to test that app.

Create an OAuth client ID

  • Click on Credentials and then click the Create Credentials button, and select OAuth Client ID from the drop down menu.
  • Under Application Type choose Web application
  • Give it a Name. This name is for display in the console, it will not be shown to users. Use morio when you’re not sure what to use.
  • Under Authorised redirect URIs:
    • Enter https://your-morio-fqdn/-/api/callback/oidc/google where your-morio-fqdn is the of your Morio instance, and google is the ID of the identity provider we will create below.
    • If you have more than 1 broker node, enter the URL for each node on its own line, and also add a line for a similar URL using the cluster .

Click the Create button to create the OAuth client ID.

Copy the Client ID and Client secret for use below.

NOTE

Your app is in test. You’ll need to submit it for review when you have verified everything is ok.

Create a new identity provider in Morio

Next, you need to add a new identity provider to Morio, specifically, an OpenID Connect identity provider.

Below is an example configuration:

iam:
  providers:
    google: # You can choose the ID of the oidc provider instance
     provider: oidc # You cannot choose this, it must always be `oidc`
     label: Google
     about: Use your Google account to sign in to Morio
     issuer: https://accounts.google.com
     client_id: 26757689274-oa88vhi2m6jq5g4vr1sjoi4qc2a5in82.apps.googleusercontent.com
      client_secret: "{{{ GOOGLE_OIDC_SECRET }}}"
      username_field: email
      rbac:
        user:
          attribute: email
          regex: .
        engineer:
          attribute: email
          list:
            - mario@morio.it
            - luigi@morio.it
  ui:
    visibility:
      # Use 'tab' to show the identity provider 
      # as a tab on the login page
      google: tab
    order:
      google: 1
secrets:
  GOOGLE_OIDC_SECRET: "Your client secret here"