Skip to content

Google OIDC Configuration

Pro only

Configuration at Google

  1. Open Google Cloud Console

    • Make sure to select the correct organization:

    Google Cloud Console Organization

  2. Use search box and click "Create a Project"

    Click "Create a Project"

  3. Enter Name, Organization, Location and "Create"

    Enter project details

  4. Search for and call "OAuth consent screen"

  5. Select "Internal" for "User Type" and "Create"

    Select "User Type" "Internal"

  6. Enter "App information"

    Enter App information

  7. Optional: Add App logo

  8. Enter App domain info

    App domain info

  9. Enter Developer contact information and click "Save and Continue"

    Add contact information and continue

  10. Add the scopes email, profile, openid (don't forget to click "Update")

    Add scopes

  11. Click "Save and Continue" and verify your data

  12. Go to "Credentials", "Create Credentials" and select "OAuth client ID"

    Create credentials

  13. Select "Web Application" at "Application type" and enter a name

    Enter client details

  14. You don't need any JavaScript origins

  15. Enter the URL to your SysReptor installation with the path /login/oidc/google/callback as Authorized redirect URI

    Enter redirect URL

  16. Click "Create"

You should now have the following values:

  • Client ID
  • Client secret

Cloud Setup

Cloud

You are lucky. Just send the values from the previous steps to us and we'll take care 🥰

Self-Hosted Setup

Self-Hosted

The values from the previous steps need to be passed as environment variables to the SysReptor docker container. You can add them to <sysreptor-repository>/deploy/app.env: 

1
2
OIDC_GOOGLE_CLIENT_ID=<google client id>
OIDC_GOOGLE_CLIENT_SECRET=<google client secret>

The OIDC client needs to be able to establish a network connection to Google. Make sure to not block outgoing traffic.

Restart the docker container by going to sysreptor/deploy and:

1
docker compose up -d

Limitations

SysReptor reauthenticates users before critical actions. It therefore requires users to enter their authentication details (e.g. password and second factor, if configured).

Google does not support enforced reauthentication. The reauthentication therefore redirects to Google. If the users are still authenticated at Google, they are redirected back and SysReptor regards the reauthentication as successful.

This is a limitation by Google.

To enforce reauthentication, users can set a password for their local SysReptor user. This will enforce reauthentication with the local user's credentials.