Google Cloud Integration
Google Identity Platform is used to authorize users based on group membership.
The authorization is done based on the subject in the authorization token.
LAAVAT PKI and Signing Platform uses OAuth2 Implicit grant flow. Client credentials are used first to get an access token, and then user data is fetched using the access token.
Creating cloud project¶
In the Google Cloud console, create a new project.
Name the new project accordingly.
OAuth configuration¶
Set Up OAuth Consent Screen¶
- Navigate to APIs & Services > OAuth consent screen in the Google Cloud Console.
- Select GO TO NEW EXPERIENCE (If visible).
- Select GET STARTED
- Fill in the following details:
- App name: Name the new application accordingly.
- User support email. This needs to be a internal email address.
- Click NEXT
- For Audience
- Select Internal (for organizational use only).
- Click NEXT
- For Contact Information
- Add: support@laavat.io
- Click NEXT
- On Finish
- Agree with a User Data Policy
- Click CONTINUE
- Click CREATE
Create OAuth Client¶
- Go to APIs & Services > Credentials.
- Click Create credentials > OAuth Client ID.
- Choose Application type: Web application
- Fill in information
- Name: Name the new client accordingly.
- Authorized redirect URIs:
https://app.laavat.io/<CustomerName>/api/v1/auth/callbackhttps://app.laavat.io/<CustomerName>/gui/callbackgui
- Click CREATE
- Download a client credentials JSON.
- This JSON is needed on LAAVAT side for onboarding.
Enable Required APIs¶
- Navigate to APIs & Services > Library.
- Enable APIs required by LAAVAT PKI and Signing Platform:
- Admin SDK API.
- iam service account credentials api.
Set Up a Service Account for group membership checking¶
Create Service Account¶
- Go to IAM & Admin > Service Accounts.
- Click Create Service Account and configure:
- Service account name: Name the new service account accordingly.
- Description (optional).
- Click CREATE AND CONTINUE
- Grant this service account access to project
- Service Account Token Creator
- Click CONTINUE
- Grant users access to this service account (optional)
- Not needed for LAAVAT PKI and Signing Platform
- Click DONE
- Create keys for service account
- From actions:
- click Manage keys
- Click ADD KEY
- Create or upload a key. Follow your organization guidelines for key creation.
- Download the private key (JSON) and store it securely.
- This JSON is needed on LAAVAT side for onboarding.
- Take a note for Service account client ID.
Configure Google workspace¶
Add application to google workspace¶
- On google workspace admin console
- Click Security > Access and data control > API controls
- Click MANAGE THIRD-PARTY APP ACCESS
- Click Configure new app
- Type in a Service account Client ID
- Click Search
- Set Scope based on your organization guidelines.
- Click continue
- Access to Google Data.
- Select Specific Google data
- Click Update google services or scopes
- Click Add more OAuth scopes
- Add scopes:
https://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.group.member.readonlyhttps://www.googleapis.com/auth/admin.directory.user.readonly
- Click Add
- Click Save
- Click Continue
- Review application information and click Finish
Domain wide delegation¶
- On google workspace admin console
- Click Security > Access and data control > API controls
- Click MANAGE DOMAIN WIDE DELEGATION
- Click Add new
- Type in Client ID
- Add OAuth scopes:
https://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.group.member.readonlyhttps://www.googleapis.com/auth/admin.directory.user.readonly
- Click AUTHORIZE
Group check impersonated user¶
Create a google workspace user with a following role assigned.
- Groups Reader
Write the user email address to the registration form.
Information needed by LAAVAT¶
Following JSON required:
- OAuth client JSON
- Service Account JSON
For credentials transfer follow instructions on the chapter: Secure credentials transfer to LAAVAT.