G Suite

Spinnaker supports OAuth 2.0 for authentication with G Suite.

This page instructs you on how to obtain an OAuth 2.0 client ID and client secret for use with your G Suite organization (previously known as Google Apps for Work).

Get client ID and secret

  1. Navigate to https://console.developers.google.com/apis/credentials .
  2. Click “Create credentials” –> OAuth client ID.
  3. Select “Web Application”, and enter a name.
  4. Under “Authorized redirect URIs”, add https://localhost:8084/login, replacing domain with your Gate address, if known, and https with http if appropriate. Click Create.
  5. Note the generated client ID and client secret. Copy these to a safe place.

GCP console to create OAuth 2.0 client screenshot

Configure Halyard

You may configure Halyard either with the CLI or by manually editing the hal config.

Hal config

  1. security:
  2. authn:
  3. oauth2:
  4. enabled: true
  5. client:
  6. clientId: # client ID from above
  7. clientSecret: # client secret from above
  8. accessTokenUri: https://www.googleapis.com/oauth2/v4/token
  9. userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
  10. scope: profile email
  11. resource:
  12. userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
  13. userInfoRequirements:
  14. # You almost certainly want to restrict access to your Spinnaker to
  15. # users whose account is from your hosted domain; without this any
  16. # user with a Google account will have access.
  17. hd: # hosted domain
  18. userInfoMapping:
  19. email: email
  20. firstName: given_name
  21. lastName: family_name
  22. provider: GOOGLE

CLI

  1. hal config security authn oauth2 edit --provider google \
  2. --client-id (client ID from above) \
  3. --client-secret (client secret from above)
  4. hal config security authn oauth2 enable

Last modified August 28, 2020: fix ordering to match current site (4ca0bf9)