mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-11-14 04:02:41 +00:00
Document Google Auth provider
parent
93998389f9
commit
86aff442ab
1 changed files with 25 additions and 0 deletions
|
@ -12,6 +12,31 @@ providers:
|
||||||
|
|
||||||
The configuration is quite simple: Create an application in Crowd, enter the Crowd URL and the application credentials into the config and you're done.
|
The configuration is quite simple: Create an application in Crowd, enter the Crowd URL and the application credentials into the config and you're done.
|
||||||
|
|
||||||
|
## Google oAuth2 (`google_oauth`)
|
||||||
|
|
||||||
|
This provider sends the user to Google for oAuth2 login using the configured consent screen and returns their identification afterwards as the user.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
providers:
|
||||||
|
google_oauth:
|
||||||
|
client_id: ""
|
||||||
|
client_secret: ""
|
||||||
|
redirect_url: "https://login.luzifer.io/login"
|
||||||
|
|
||||||
|
# Optional, defaults to no limitations
|
||||||
|
require_domain: "example.com"
|
||||||
|
# Optional, defaults to "user-id"
|
||||||
|
user_id_method: "full-email"
|
||||||
|
```
|
||||||
|
|
||||||
|
To obtain the `client_id` and `client_secret` create a new project in the [Google Cloud Console](https://console.cloud.google.com/) and under "API & Services" set up the oAuth2 consent screen. Afterwards create new oAuth2 credentials for your project.
|
||||||
|
|
||||||
|
The `redirect_url` **must** point back to the `/login` path of nginx-sso to complete the login process. With the `require_domain` parameter you can limit the users being allowed to sign in to users of a specific domain (useful for company internal portals with whitelisting for the company domain). For this the primary email address of the user is matched (in case your Google Apps account does have aliases set up an alias domain will not work).
|
||||||
|
|
||||||
|
By default the user identifier will be the `user-id`, which is a quite long numeric ID. When changing the primary domain or changing the name of the user this ID will not change and is therefore the safest possible variant. Also supported are the `user_id_method`s of `full-email` and `local-part` which both are derived from the users primary address. For the user `knut@example.com` the `full-email` will set the username to `knut@example.com` while `local-part` will set it to `knut`.
|
||||||
|
|
||||||
|
After a new user signed up you can point them to the `/debug` route in your nginx-sso instance and let them send you the displayed username (user ID) for assigning to ACLs.
|
||||||
|
|
||||||
## LDAP Auth (`ldap`)
|
## LDAP Auth (`ldap`)
|
||||||
|
|
||||||
The LDAP provider connects to a (remote) LDAP directory server and authenticates users against and reads groups from it.
|
The LDAP provider connects to a (remote) LDAP directory server and authenticates users against and reads groups from it.
|
||||||
|
|
Loading…
Reference in a new issue