Google Authentication (google-auth)
Google authenticates users through their Google accounts. Users are redirected through Google’s website and given a token for their CLI usage. Once authenticated, short-lived JSON Web Tokens are used to persist and validate authentication state.
Server Configuration Options
client_id– Client ID from registered applicationclient_secret– Client Secret from registered applicationjwt– a hash of JWT signing detailsprivate_key– a PEM-formatted private keyvalidity– a duration for how long authentication tokens will be remembered (default24h)
auth_url– authentication URL (defaulthttps://accounts.google.com/o/oauth2/v2/auth)token_url– token URL (defaulthttps://www.googleapis.com/oauth2/v4/token)scopes– optionally load additional profile information for extended scopescloud_project– request information from Google Cloud (requires the Google Cloud Resource Manager API to be enabled)projects– a list of project identifiers to check for membership; if left empty, all projects will be checkedroles– a list of roles (e.g.roles/owner) to check for access; if left empty, all roles will be included
failure_redirect_url– redirect URL upon authentication failure (defaultserver.redirects.auth_failure)success_redirect_url– redirect URL upon authentication success (defaultserver.redirects.auth_success)
Authentication Scopes
When a user authenticates, their email, email mailbox, and email domain will be added as scopes.
somebody@example.comemail/mailbox/somebodyemail/domain/example.com
If cloud_project scopes are enabled, their project role scopes will also be added as scopes.
cloud/project/1234567890/roles/owner
Google Application
This requires registering a credential. At a minimum, ensure the following fields are configured.
- Credential type – OAuth client ID
- Application type – Web application
- Authorized redirect URIs –
https://{ssoca_host}:{ssoca_port}/auth/callback
General Notes
- changing the
jwt.private_keywill revoke all existing authentication tokens