Skip to main content

Version: 3.11.0

Set Up SSO with Google

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end users based on the authentication performed by the identity provider, as well as to obtain basic profile information about end users in an interoperable and REST-like manner.

Google Identity offers a suite of identity and access management tools, enabling secure user authentication and access control. With APISIX and Google, you can implement OIDC-based authentication processes to protect your APIs and enable single sign-on (SSO).

The guide will show you how to integrate APISIX with Google's OAuth 2.0 APIs to implement SSO, using the authorization code flow.

Prerequisite(s)

Configure Google Credentials

Go to the Credentials page in Google API console and create a new credential of type OAuth client ID:

Google OAuth create OAuth client ID

Configure the details for the client:

  • Select the Web application as the Application type.
  • Enter the name of the client, for example, apisix.
  • Enter the callback URL http://localhost:9080/anything/callback.
Enter client details

Finish the creation.

Copy the generated client ID and secret:

The generated client ID and secret

Save the client ID and secret to environment variables:

# replace with your values
export OIDC_CLIENT_ID=590838497384-v1v8tta846d4iki47kuaa5mompqio.apps.googleusercontent.com
export OIDC_CLIENT_SECRET=bSaINfMk1YknmtXvo8lKkfeY0iwpr9c0

Create a Route in APISIX

Create a route with openid-connect plugin as such:

curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "auth-with-oidc",
"uri":"/anything/*",
"plugins": {
"openid-connect": {
"bearer_only": false,
"client_id": "'"$OIDC_CLIENT_ID"'",
"client_secret": "'"$OIDC_CLIENT_SECRET"'",
"discovery": "https://accounts.google.com/.well-known/openid-configuration",
"scope": "openid profile",
"redirect_uri": "http://localhost:9080/anything/callback"
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"httpbin.org:80":1
}
}
}'

bearer_only: set to false for authorization code grant.

client_id: Google OAuth client ID.

client_secret: Google OAuth client secret.

discovery: URI to Google discovery document.

redirect_uri: URI to redirect to after authentication with the identity provider.

Verify

Navigate to http://127.0.0.1:9080/anything/test in browser. You should be redirected to Google's log-in page:

log in with Google

Once logged in, the request will be forwarded to httpbin.org and you should see a response similar to the following in browser:

{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "text/html..."
...
},
"json": null,
"method": "GET",
"origin": "127.0.0.1, 122.71.24.81",
"url": "http://127.0.0.1/anything/test"
}

Next Steps

APISIX supports the integration with more OIDC identity providers, such as Keycloak, Authgear, Microsoft Entra ID, and Auth0.

In addition, APISIX also supports built-in authentication approaches such as key authentication, basic authentication, and JWT.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation