Skip to main content

Create a new Oauth application for Zylon

In order to enable Google SSO for Zylon, you need to create an OAuth 2.0 application in the Google Cloud Console. Navigate to the Google Cloud Console.
You might need to create a new Google project for Zylon if you don’t have one already to host the OAuth application.create-project
Navigate to the Google Auth Section, to create the app. create-oauth-app oauth-config For the audience configuration, set it to internal so only users from your organization can log in, otherwise you will need to go through Google’s verification process.

Configure the Oauth client

Next, configure the Oauth client oauth-client-id Make sure of the following settings:
  • The application type is set to Web application.
  • The allowed JavaScript origins is set to https://zylon.company.com, replacing zylon.company.com with the domain where Zylon is hosted (It is the same domain as the host in the config file located in /etc/zylon/zylon-conf.yaml).
  • The authorized redirect URI is set to https://zylon.company.com/api/v1/auth/google/callback, same as above replace zylon.company.com with the domain where Zylon is hosted.
  • Apply the changes and save the Client ID and Client Secret that will be used later in the config file for Zylon.
Select Web application as the application type: oauth-web-app Set the authorized redirect URI as mentioned before, double check that the domain is correct and the suffix is /api/v1/auth/google/callback: oauth-redirect-uri Create the OAuth client and save the Client ID and Client Secret: oauth-client-created

Grant openid scope

Navigate to the Data Access/Scopes section, and add the following scopes to your application:
  • auth/userinfo.email (To get the user email)
  • auth/userinfo.profile (To get user’s name and profile picture)
  • openid (To authenticate users with OpenID Connect)
oauth-scopes oauth-scopes-added

Add the configuration to Zylon

Add the following configuration to /etc/zylon/zylon-conf.yaml, replacing the clientId and clientSecret values with the ones obtained in the previous steps and the redirectUri with the correct domain where Zylon is hosted. 
auth:
  google:
    enabled: true
    clientId: "1234567890-abcde.apps.googleusercontent.com"
    clientSecret: "GOCSPX-xxxxxxxxxxxxxxxxxxxxxxxx"
    redirectUri: "https://zylon.company.com/api/v1/auth/google/callback"
Run the following command to refresh the configuration 
sudo zylon-cli sync
Now you should see the Google SSO option when logging in.
In case you don’t see the Google button to log in, clear the browser cache.