OAuth 2.0 Authentication with Google

In this guide, you will learn how to authenticate yourself with Google.

Prerequisites

Create a Google Cloud project

Generate OAuth 2.0 client IDs

  1. In your Project head to API & Services > Credentials

  2. Select CREATE CREDENTIALS and select OAuth Client ID

  3. Give it name

  4. At Authorized JavaScript origins, add your URIs. This is your instance’s complete URL. For example, https://my-enviroment.neptune-software.cloud

  5. At Authorized redirect URIs, add the following: https://my-enviroment.neptune-software.cloud/user/logon/oauth2/oauth2new/callback

    The folder name in the path between oauth2 and callback will be the Path you will define in the next section.

  6. Copy the following:

    1. Client ID

    2. Client secret

    3. Authorized redirect URI

      These will be used in the next step.

Configure your authentication OAuth 2.0 provider in System Settings

  1. Add a new authentication and select OAuth2.

  2. Enable Active and Show on Login Page to have the authentication active and available in the login options.

  3. Add a meaningful Name,Description and Path. In this example, the path is oauth2new.

    Once the path is added, a folder will be created containing all OAuth 2.0 information.

  4. In Authorization URL, paste https://accounts.google.com/o/oauth2/v2/auth

  5. In Token URL, paste https://oauth2.googleapis.com/token

  6. In Callback URL, paste the previously copied Authorized redirect URI

  7. In Redirect URL, paste https://<my-enviroment>.neptune-software.cloud/cockpit.html

  8. Paste the Client ID and Client Secret.

  9. In Scopes, add email. You can always add more or other scopes

  10. In Profile Script, paste the following code:

    this._oauth2.get('https://www.googleapis.com/oauth2/v3/userinfo', accessToken, function(err, body, res) {
    const profile = JSON.parse(body);
    done(null, profile)
})

  11. In Claims Assignment, you can map incoming identity-provider claims to user properties within the system. Each entry consists of three parts:

    • Claim: The name of the incoming claim or scope provided by the authentication authority.

    • Default: An optional fallback value used when the claim is missing or not supplied.

    • User Fields: A selectable internal user attribute (for example, Username, Email, Language, Name, Phone, Mobile) that the claim should populate.

      You can create multiple rows to define as many claim–to–property mappings as required. When a user signs in, the system evaluates the received token, applies the mappings, and populates or updates the corresponding user fields accordingly.

  12. If required, in Auto Assignment, assign roles and groups that you have defined in the Role and Security Group tools in the Cockpit.

    1. Enable Only assign on first login to assign the claims, roles and security groups only on the first login.

  13. In Post Authentication Script, use Script to select a server script that should run after authentication. The script has access to the global variables profile, user, and updatedUser.

    If no server script is selected, you can enter custom logic in Function (profile, user, updatedUser, require, getEntityRepository, log). This allows you to run post-authentication code, such as logging details or modifying the variables, for example:

    log.info("XXuser",user);
log.info("XXprofile",profile);
log.info("Member of:"+ profile.memberof);
    Inline post-authentication scripts will be deprecated in a future patch. Plan to move any custom logic to a server script.

  14. Select OK.

  15. Save and Restart the server to apply the changes.

Result

You have established an OAuth 2.0 authentication with Google.