luzifer/nginx-sso
1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-11-09 09:50:01 +00:00
Code Issues Releases Wiki Activity

Document Google Auth provider

Knut Ahlers 2019-04-22 01:00:52 -04:00
parent 93998389f9
commit 86aff442ab
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
Auth-Provider-Configuration.md

@ -12,6 +12,31 @@ providers:
The configuration is quite simple: Create an application in Crowd, enter the Crowd URL and the application credentials into the config and you're done.
## Google oAuth2 (`google_oauth`)
This provider sends the user to Google for oAuth2 login using the configured consent screen and returns their identification afterwards as the user.
```yaml
providers:
google_oauth:
client_id: ""
client_secret: ""
redirect_url: "https://login.luzifer.io/login"
# Optional, defaults to no limitations
require_domain: "example.com"
# Optional, defaults to "user-id"
user_id_method: "full-email"
```
To obtain the `client_id` and `client_secret` create a new project in the [Google Cloud Console](https://console.cloud.google.com/) and under "API & Services" set up the oAuth2 consent screen. Afterwards create new oAuth2 credentials for your project.
The `redirect_url` **must** point back to the `/login` path of nginx-sso to complete the login process. With the `require_domain` parameter you can limit the users being allowed to sign in to users of a specific domain (useful for company internal portals with whitelisting for the company domain). For this the primary email address of the user is matched (in case your Google Apps account does have aliases set up an alias domain will not work).
By default the user identifier will be the `user-id`, which is a quite long numeric ID. When changing the primary domain or changing the name of the user this ID will not change and is therefore the safest possible variant. Also supported are the `user_id_method`s of `full-email` and `local-part` which both are derived from the users primary address. For the user `knut@example.com` the `full-email` will set the username to `knut@example.com` while `local-part` will set it to `knut`.
After a new user signed up you can point them to the `/debug` route in your nginx-sso instance and let them send you the displayed username (user ID) for assigning to ACLs.
## LDAP Auth (`ldap`)
The LDAP provider connects to a (remote) LDAP directory server and authenticates users against and reads groups from it.