2 min • read

Single Sign-On with Google

Create an OAuth client in the Google API Console

To use Google as an IdP for Single Sign-On, you will first need to create an OAuth web application in the Google API Console.

  1. Open the Credentials page in the API Console

  2. Click Create credentials > OAuth client ID.

  3. Select Web application and give it a name

  4. Under Restrictions, fill in the Authorized redirect URIs with

  5. Click Create

  6. Record the client ID and client secret in the pop-up window. You will need these when configuring Ambassador Edge Stack

Set up Ambassador Edge Stack

After creating an OAuth client in Google, configuring Ambassador Edge Stack to make use of it for authentication is simple.

  1. Create an OAuth Filter with the credentials from above:

    apiVersion: getambassador.io/v3alpha1
    kind: Filter
    name: google
    # Google openid-configuration endpoint can be found at https://accounts.google.com/.well-known/openid-configuration
    authorizationURL: https://accounts.google.com
    # Client ID from step 6 above
    clientID: CLIENT_ID
    # Secret created in step 6 above
    secret: CLIENT_SECRET
    # The protectedOrigin is the scheme and Host of your Ambassador Edge Stack endpoint
    - origin: http(s)://{{AMBASSADOR_URL}}
  2. Create a FilterPolicy to use the Filter created above

    apiVersion: getambassador.io/v3alpha1
    kind: FilterPolicy
    name: google-policy
    # Requires authentication on requests from any hostname
    - host: "*"
    # Tells Ambassador Edge Stack to apply the Filter only on request to the quote /backend/get-quote/ endpoint
    path: /backend/get-quote/
    # Identifies which Filter to use for the path and host above
    - name: google
  3. Apply both the Filter and FilterPolicy above with kubectl

    kubectl apply -f google-filter.yaml
    kubectl apply -f google-policy.yaml

Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/ will require authentication from Google.