Set Up SSO with Google
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end users based on the authentication performed by the identity provider, as well as to obtain basic profile information about end users in an interoperable and REST-like manner.
Google Identity offers a suite of identity and access management tools, enabling secure user authentication and access control. With APISIX and Google, you can implement OIDC-based authentication processes to protect your APIs and enable single sign-on (SSO).
The guide will show you how to integrate APISIX with Google's OAuth 2.0 APIs to implement SSO, using the authorization code flow.
Prerequisite(s)
- Install Docker.
- Install cURL to send requests to the services for validation.
- Follow the Getting Started tutorial to start a new APISIX instance in Docker.
- Have a Google account.
Configure Google Credentials
Go to the Credentials page in Google API console and create a new credential of type OAuth client ID:
Configure the details for the client:
- Select the Web application as the Application type.
- Enter the name of the client, for example,
apisix. - Enter the callback URL
http://localhost:9080/anything/callback.
Finish the creation.
Copy the generated client ID and secret:
Save the client ID and secret to environment variables:
# replace with your values
export OIDC_CLIENT_ID=590838497384-v1v8tta846d4iki47kuaa5mompqio.apps.googleusercontent.com
export OIDC_CLIENT_SECRET=bSaINfMk1YknmtXvo8lKkfeY0iwpr9c0
Create a Route in APISIX
Create a route with openid-connect plugin as such:
- Admin API
- ADC
curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "auth-with-oidc",
"uri":"/anything/*",
"plugins": {
"openid-connect": {
"bearer_only": false,
"client_id": "'"$OIDC_CLIENT_ID"'",
"client_secret": "'"$OIDC_CLIENT_SECRET"'",
"discovery": "https://accounts.google.com/.well-known/openid-configuration",
"scope": "openid profile",
"redirect_uri": "http://localhost:9080/anything/callback"
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"httpbin.org:80":1
}
}
}'
❶ bearer_only: set to false for authorization code grant.
❷ client_id: Google OAuth client ID.
❸ client_secret: Google OAuth client secret.
❹ discovery: URI to Google discovery document.
❺ redirect_uri: URI to redirect to after authentication with the identity provider.
services:
- name: httpbin Service
routes:
- uris:
- /anything/*
name: auth-with-oidc
plugins:
openid-connect:
bearer_only: false
client_id: "590838497384-v1v8tta846d4iki47kuaa5mompqio.apps.googleusercontent.com"
client_secret: "bSaINfMk1YknmtXvo8lKkfeY0iwpr9c0"
discovery: "https://accounts.google.com/.well-known/openid-configuration"
scope: openid profile
redirect_uri: "http://localhost:9080/anything/callback"
upstream:
type: roundrobin
nodes:
- host: httpbin.org
port: 80
weight: 1
❶ bearer_only: set to false for authorization code grant.
❷ client_id: Google OAuth client ID.
❸ client_secret: Google OAuth client secret.
❹ discovery: URI to Google discovery document.
❺ redirect_uri: URI to redirect to after authentication with the identity provider.
Synchronize the configuration to APISIX:
adc sync -f adc.yaml
Verify
Navigate to http://127.0.0.1:9080/anything/test in browser. You should be redirected to Google's log-in page:
Once logged in, the request will be forwarded to httpbin.org and you should see a response similar to the following in browser:
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "text/html..."
...
},
"json": null,
"method": "GET",
"origin": "127.0.0.1, 122.71.24.81",
"url": "http://127.0.0.1/anything/test"
}
Next Steps
APISIX supports the integration with more OIDC identity providers, such as Keycloak, Authgear, Microsoft Entra ID, and Auth0.
In addition, APISIX also supports built-in authentication approaches such as key authentication, basic authentication, and JWT.