Configure Google as a Federated Authenticator¶
This page guides you through configuring Google as a federated authenticator in WSO2 Identity Server. Note that you can also configure One Tap authentication for sign-in with Google.
Set up a Google app¶
First, configure a Google app, which you can use to integrate WSO2 IS.
Go to the Google Developer console, create a new project, or select an existing project.
If the APIs & services page isn't already open, do the following:
Open the navigation menu and click View all products.
Under Management, click APIs & Services.
Go to the Credentials page, click Create Credentials, and select OAuth client ID.
On the Create OAuth client ID page, first select Web application as the Application type.
Click Configure Consent Screen and configure the consent screen.
For more information, see User Consent.
Return to the Create OAuth client ID page and apply the following values.
Authorized Redirect URI
Specify the endpoint in WSO2 IS to which Google should send responses after the authentication process. Use the following as the authorized redirect URI for your WSO2 IS instance running on localhost:
Click Create to generate the OAuth client ID and client secret.
Register an identity provider¶
Log in to the Management Console(
https://<IS_HOST>:<PORT>/carbon) using admin/admin credentials.
Navigate to Main > Identity > Identity Providers > Add.
Enter an Identity Provider Name, Display Name, and Description.
Go to Federated Authenticators > Google Configuration and configure the following parameters.
Enable Select this checkbox to enable federated authentication using this identity provider. Client ID The client ID that was generated for the Google application. Client Secret The client secret that was generated for the Google application. Callback URL
Enter the following as the callback URL of the application:
Enable One Tap
Select this checkbox to use Google One Tap.
Note: If you are using the Console app of WSO2 IS, note that the Enable One Tap configuration is available for all tenants by default. If you want to restrict this option to selected tenants, add the following configuration to the
google_one_tap_enabled_tenants = [“carbon.super”,”t.com”]
Click Register to add the Google IdP.
Register a service provider¶
To register your application as a service provider in the WSO2 Identity Server:
Log in to the WSO2 Identity Server Management Console using administrator credentials.
Go to Main > Identity > Service Providers > Add.
Enter a Service Provider Name. Optionally, enter a Description.
In the Inbound Authentication Configuration section, click Configure under the OAuth/OpenIDConnect Configuration section and set the configurations as required.
Configure the Callback URL of the sample application (http://localhost.com:8080/pickup-dispatch/oauth2client).
Keep the other configurations as default and click on Add
Click Register. Now you will be sent back to the Service Providers page.
Take a copy of the OAuth Client Key and the OAuth Client Secret for later usages
Go to the Local and Outbound Authentication Configuration section.
To configure the Authentication Type, select Advanced Configuration, and then click it.
Expand Step 1 and configure two authenticators for this authentication step:
- Local Authenticator: Select
Username & Passwordfrom the list.
- Federated Authenticators: Select the Google identity provider that you configured for this tutorial.
- Local Authenticator: Select
Click Update to return to the service provider configuration page and then click Update again to save the changes.
Try it out¶
You have successfully configured Google as your federated authenticator. Now, when you try to log in to your application, it should redirect to the Google login page. On successful authentication with your Google credentials, you will be able to access your application.
Set up the sample app¶
Download Apache Tomcat 9.x from here and install. Tomcat server installation location will be referred to as
<TOMCAT_HOME>later in this guide.
It is recommended that you use a hostname that is not
localhostto avoid browser errors. Modify the
/etc/hostsentry in your machine to reflect this. Note that
wso2is.localis used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.
Download the sample from GitHub.
- Navigate to WSO2 Identity Server Samples.
- Download the
pickup-dispatch.warfile from the latest release assets.
Deploy the sample app¶
Deploy this sample web app on a web container.
pickup-dispatch.warfile into the
webappsfolder. For example,
Open a terminal window and add the following entry to the
/etc/hostsfile of your machine to configure the hostname.
127.0.0.1 wso2is.local 127.0.0.1 localhost.com
Why is this step needed?
Some browsers do not allow you to create cookies for a naked hostname, such as
localhost. Cookies are required when working with SSO . Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the
etc/hostfile as explained in this step.
etc/hostfile is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. Instead, edit the file using the terminal commands.
For example, use the following command if you are working on a Mac/Linux environment.
sudo nano /etc/hosts
dispatch.propertiesfile found in the
<TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classesdirectory and edit the consumerKey and consumerSecret with the values obtained from the OAuth configuration.
Restart the Tomcat server.
Sign in with Google¶
To test the sample:
Go to the following URL on your browser:
You are redirected to the Google login page.
Click Sign in with Google to be redirected to the Google sign-in page.
If you have Google One Tap enabled for your Google IdP, you will be able to skip this step. See the instructions on signing in with Google One Tap.
Select your preferred Google account and sign in with your Google credentials.
You are redirected to the sample application's home page.
Sign in with Google One Tap¶
Google One Tap is a personalized authentication feature provided by Google. When a browser has an already authenticated google session, a personalized sign-in/sign-up button will appear instead of a conventional Google sign-in button. Note that this feature applies to One Tap-supported web applications.
Google One Tap supports for following browsers only.
When Google One Tap is enabled, the conventional Google sign-in button will not be available on the login page. However, the application user can close the One Tap personalized button and re-enable the conventional Google Sign-in button. As defined by Google, when the user closes the Google One Tap option, it will take two hours to enable it again unless cookies are cleared.