To use Google users for RPort authentication you must add and configure an Google Project with the required OAuth configuration for RPort. This project is created and fully controlled by the RPort administrator and permission for RPort access can be revoked at any time. When users first login to RPort via their Google user, they must allow this app to read their user info. For more information on the Google implementation of OAuth, please see Using OAuth 2.0 for Web Server Applications.
For a detailed reference on the configuration settings mentioned in this section, see the Configuration Settings guide.
When using the web app style flow only, by specifying a
required_group_id in the
user access to RPort can be limited solely to the members of a specific Google group.
permitted_user_list config option is not set or set to
automatically create and add any user who successfully authenticates with Google to the list of
allowed users for RPort. This means users do not need to be setup in advance.
If you have two-factor authentication enabled on the rport server, you must turn it off before setting up OAuth. Use the supported two-factor authentications of Google instead.
Most steps apply when setting up both web style and device style flows. Where is a step only applies to one or the other then this will be indicated.
Signup for Google Cloud, if not already signed up.
Goto the Google Cloud console.
Set up your organization as per the Checklist in the IAM & Admin > Identity & Organization area.
Ensure at least the following 4 checklists have been completed:
Enable Cloud Identity and create an organization
Provision users and groups
Assign administrative access
Configure hierarchy and assign access
Create a new project with an appropriate project name (e.g. Rport Access)
Navigate to the API & Services > OAuth consent screen area via the top-left main menu.
Select the required User Type (which will most likely be Internal) and click CREATE to continue.
Enter the app registration details requested, including an appropriate app name (e.g. Rport Access).
Save and continue to navigate to the Scopes screen.
Click the ADD OR REMOVE SCOPES button and then select the following scopes:
Click Update to return to the Scopes screen.
Save and continue to proceed to the Summary screen.
Check the details and then click BACK TO DASHBOARD to return to the top-level OAuth consent screen.
Navigate to the API & Service > Credentials area either via the top-left main screen or left panel (if visible).
Click CREATE CREDENTIALS at the top of the Credentials panel and select OAuth Client ID
Select Web Application as the application type, unless setting up the device style flow when TVs and Limited input devices should be selected.
Enter the requested details, including the Authorized Redirect URI (which must be
https://<FQDN-OF-RPORT-SERVER>/oauth/callbackif using the RPort UI) and click CREATE. Note your Authorized Redirect URI, Your Client ID and Your Client Secret.
For configuring the
rportdserver config file, the following information will be required:
[plus-oauth] provider = "google" redirect_uri = "https://<FQDN-OF-RPORT-SERVER>/oauth/callback>" token_url = "https://oauth2.googleapis.com/token" authorize_url = "https://accounts.google.com/o/oauth2/v2/auth" client_id = "your application (client) id (from step 16)" client_secret = "your client secret (from step 16)" # If using the device style flow (OAuth for rportcli) additionally active the below lines. #device_authorize_url = "https://oauth2.googleapis.com/device/code" #device_client_id = "your application (client) id (from step 16)" #device_client_secret = "your client secret (from step 16)"
rportdoauth access control config parameters as required. Note that
required_group_idis not supported by google when using the device style flow.
Depending on requirements, the following access control config parameters maybe set.
# Google group identity (the group email address) of required group
## allow all users within group
Remember: You always need to restart the
rportdafter changing the configuration file.
service rportd restart.
For the RPort
username, RPort uses the
When using the
permitted_user_list setting the usernames listed in the RPort API file or DB
(see API Authentication) must match the
value of the Google
When using the
permitted_user_match setting RPort will try to match the regex with the
required_group_id check, RPort gets the members of the group matching the required_group_id
and then checks whether the current user is a member. Please see Google REST
Get Members Of A Group
API for more information. Note that the user must be a direct member of the relevant group and not
a transitive member.