This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Google Identity Platform as an OAuth2 server/provider

Posted on 06-27-2022 11:44 AM
flldom001
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

We want to be able to sign our users in using the Authorization Code Flow.

GIP supports OIDC providers but these require either a self-hosted OAuth2 server or reliance on AWS Cognito or Auth0. 

The case I want is using Google Identity Platform as the OAuth2 server - i.e. where it serves a login screen, collects username/password and returns an authorization code which is later exchanged for a token (i.e. the standard OAuth authorization code flow).

Does Google not provide this?

1 5 1,835
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
cristianrm
Staff
Reply posted on --/--/---- --:-- AM

To use the Authorization Code Flow, first you must have configured the provider as stated in the official documentation.

On this page you can check the sign in providers supported by Google Identity Platform.

The Identity Platform overview states that Identity Platform is a customer identity and access management (CIAM) platform. As mentioned here, one of the functionalities of a CIAM is to administer identities. Therefore, Identity Platform is not intended to be used as an identity provider solely nor to be an OAuth2 server.

In order to sign in users with OIDC and Google using OAuth, you could review this documentation about Google's OAuth 2.0 APIs.

See also:

Posted on --/--/---- --:-- AM
flldom001
Bronze 1
Bronze 1
In response to cristianrm
Reply posted on --/--/---- --:-- AM

Thank you for your reply. Would it be possible to ask for this as a feature request?

0 Likes

Posted on --/--/---- --:-- AM
cristianrm
Staff
In response to flldom001
Reply posted on --/--/---- --:-- AM

As shown on the feature requests documentation:

You can also request and vote for new Google Cloud features. Unlike issue reports, we don't immediately triage new feature requests. Instead, we wait for a feature to have a handful of stars and, hopefully, comments from several users about how the feature would be useful. So, when it comes to feature requests, it's especially important to vote for an existing request (if one exists) instead of making a duplicate.

For Identity Platform, you can use this link.

0 Likes

Posted on --/--/---- --:-- AM
rikotsev
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello,

I am looking at a similar scenario. 
We have our own application that should authenticate users. For that purpose we have decided to use the Google Identity Platform to perform logins and store user information.

However, our users, after authenticating to our application would need to access data from BigQuery where the data is filtered based on allow/deny policies for principals. 

Currently, I do not see a way how an identity in the Google Identity Platform can also be an Identity in GCP. 
Am I correct in my thinking that the only 2 options we are left with are:
1) Using service accounts for the customers to access their BigQuery data
2) Having an external IdP with Federated Workforce Identity and users actually logging into the external IdP

0 Likes

Posted on --/--/---- --:-- AM
malbarello
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello @cristianrm

Regarding -> Identity Platform is not intended to be used as an identity provider solely nor to be an OAuth2 server.

Is there any other google service that enables you to deploy your own OAuth2 server? I'm using AWS Cognito right now but would like to understand whether there is an equivalent Google service. I need it not only for SSO but also for authorizing third party access to an API.

0 Likes