Google Single Sign-On
Create an OAuth client in the Google API Console
To use Google as an IdP for Single Sign-On, you will first need to create an OAuth web application in the Google API Console.
Open the Credentials page in the API Console
Click
Create credentials > OAuth client ID
.Select
Web application
and give it a nameUnder Restrictions, fill in the Authorized redirect URIs with
http(s)://{{AMBASSADOR_URL}}/.ambassador/oauth2/redirection-endpointClick
Create
Record the
client ID
andclient secret
in the pop-up window. You will need these when configuring Ambassador Edge Stack
Set up Ambassador Edge Stack
After creating an OAuth client in Google, configuring Ambassador Edge Stack to make use of it for authentication is simple.
Create an OAuth Filter with the credentials from above:
apiVersion: getambassador.io/v2kind: Filtermetadata:name: googlespec:OAuth2:# Google openid-configuration endpoint can be found at https://accounts.google.com/.well-known/openid-configurationauthorizationURL: https://accounts.google.com# Client ID from step 6 aboveclientID: CLIENT_ID# Secret created in step 6 abovesecret: CLIENT_SECRET# The protectedOrigin is the scheme and Host of your Ambassador endpointprotectedOrigins:- origin: http(s)://{{AMBASSADOR_URL}}Create a FilterPolicy to use the
Filter
created aboveapiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: azure-policyspec:rules:# Requires authentication on requests from any hostname- host: "*"# Tells Ambassador Edge Stack to apply the Filter only on request to the quote /backend/get-quote/ endpointpath: /backend/get-quote/# Identifies which Filter to use for the path and hose abovefilters:- name: googleApply both the
Filter
andFilterPolicy
above withkubectl
kubectl apply -f google-filter.yamlkubectl apply -f google-policy.yaml
Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/
will require authentication from Google.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.