RPort - remote access and remote management
Toggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Google Setup

Overview

To use Google users for RPort authentication you must add and configure an Google Project with the required OAuth configuration for RPort. This project is created and fully controlled by the RPort administrator and permission for RPort access can be revoked at any time. When users first login to RPort via their Google user, they must allow this app to read their user info. For more information on the Google implementation of OAuth, please see Using OAuth 2.0 for Web Server Applications.

For a detailed reference on the configuration settings mentioned in this section, see the Configuration Settings guide.

When using the web app style flow only, by specifying a required_group_id in the rportd config, user access to RPort can be limited solely to the members of a specific Google group.

If the permitted_user_list config option is not set or set to false, then rportd will automatically create and add any user who successfully authenticates with Google to the list of allowed users for RPort. This means users do not need to be setup in advance.

Setup

If you have two-factor authentication enabled on the rport server, you must turn it off before setting up OAuth. Use the supported two-factor authentications of Google instead.

Most steps apply when setting up both web style and device style flows. Where is a step only applies to one or the other then this will be indicated.

Steps

  1. Signup for Google Cloud, if not already signed up.

  2. Goto the Google Cloud console.

  3. Set up your organization as per the Checklist in the IAM & Admin > Identity & Organization area.

    Ensure at least the following 4 checklists have been completed:

    • Enable Cloud Identity and create an organization

    • Provision users and groups

    • Assign administrative access

    • Configure hierarchy and assign access

  4. Create a new project with an appropriate project name (e.g. Rport Access)

  5. Navigate to the API & Services > OAuth consent screen area via the top-left main menu.

  6. Select the required User Type (which will most likely be Internal) and click CREATE to continue.

  7. Enter the app registration details requested, including an appropriate app name (e.g. Rport Access).

  8. Save and continue to navigate to the Scopes screen.

  9. Click the ADD OR REMOVE SCOPES button and then select the following scopes:

    • ../userinfo.email

    • ../userinfo.profile

    • openid

  10. Click Update to return to the Scopes screen.

  11. Save and continue to proceed to the Summary screen.

  12. Check the details and then click BACK TO DASHBOARD to return to the top-level OAuth consent screen.

  13. Navigate to the API & Service > Credentials area either via the top-left main screen or left panel (if visible).

  14. Click CREATE CREDENTIALS at the top of the Credentials panel and select OAuth Client ID

  15. Select Web Application as the application type, unless setting up the device style flow when TVs and Limited input devices should be selected.

  16. Enter the requested details, including the Authorized Redirect URI (which must be https://<FQDN-OF-RPORT-SERVER>/oauth/callback if using the RPort UI) and click CREATE. Note your Authorized Redirect URI, Your Client ID and Your Client Secret.

  17. For configuring the rportd server config file, the following information will be required:

    [plus-oauth]
       provider = "google"
       redirect_uri = "https://<FQDN-OF-RPORT-SERVER>/oauth/callback>"
       token_url = "https://oauth2.googleapis.com/token"
       authorize_url = "https://accounts.google.com/o/oauth2/v2/auth"
       client_id = "your application (client) id (from step 16)"
       client_secret = "your client secret (from step 16)"
       # If using the device style flow (OAuth for rportcli) additionally active the below lines.
       #device_authorize_url = "https://oauth2.googleapis.com/device/code"
       #device_client_id = "your application (client) id (from step 16)"
       #device_client_secret = "your client secret (from step 16)"
    
  18. Set the rportd oauth access control config parameters as required. Note that required_group_id is not supported by google when using the device style flow.

Depending on requirements, the following access control config parameters maybe set.

# Google group identity (the group email address) of required group
required_group_id="sample-group@sample-domain.org"
## allow all users within group
permitted_user_list=false
permitted_user_match=""
Remember: You always need to restart the rportd after changing the configuration file.
Execute service rportd restart.

Google and RPort Usernames

For the RPort username, RPort uses the email property from the Google REST API UserInfo API.

When using the permitted_user_list setting the usernames listed in the RPort API file or DB (see API Authentication) must match the value of the Google email field for the user.

When using the permitted_user_match setting RPort will try to match the regex with the user email. If succeeds then the user will be allowed access, otherwise they will be denied.

Checking the Required Group ID

For the required_group_id check, RPort gets the members of the group matching the required_group_id and then checks whether the current user is a member. Please see Google REST Get Members Of A Group API for more information. Note that the user must be a direct member of the relevant group and not a transitive member.