Trillo Docs

Google Cloud Identity Integration

Under construction


This document explains how to integrate the Google Cloud Identity into your existing Trillo application. Let's start with the current infrastructure which does not use Google Cloud Identity. As shown below in the current application you maintain the user database (with user profile and password hash).
Authentication (out-of-the-box)
Once you integrate Google identity in the application you will store the user id, email and other profile attributes in the local database. The rest of the authentication information will remain inside google cloud identity.
Authenticating with Google Cloud Identity

Registering application for cloud identity integration

As the workbench installation is owned by you therefore you will be setting up the 'OAuth consent screen' on the 'API and services' page to enable the integration. You will be providing the following data on this page below.
Consent Options
Consent Configuration
Once the configuration is complete the page will look as shown below. You must add one valid email (which can be identified by Google) to confirm that workbench configuration is working end to end.

Create authorization credentials

On the credential screen click 'Create new credentials' and generate a new 'OAuth client ID'
You must provide authorized redirect URI. The format of this URI will be https://your-server-name/_oauth2/callback
Your application client ID and secret will always be shown on the right hand side of this page.

Workbench configuration

Log into the workbench as an administrator and click 'Settings' menu to jump to following page. Click service authorization to create a new configuration for the Google cloud Identity. For instance, you can set the name of the configuration as 'GoogleWB'.
External service name: GoogleWB
Checkbox (enabled): API calls require authorization
Grant type: Authorization Code
Client ID: paste the value here from the above screen
Client Secret: Do the same and paste the value from the above screen
Redirect URL: again copy the string that you have provided at the time of setting authorization credentials similar to the above screen. For example https://your-server-name/_oauth2/callback
Comma Separate List of Scopes: openid profile email
Checkbox (enabled): User Preregistration Required?
User Info Transformation Function: GoogleUserProfileMapper
Post Authentication Redirect Host with Protocol: Provide your main website url
Logout URL:
Press the save icon button on the top right corner of the page
There is a button at the bottom to 'Acquire Refresh Token'. Before requiring refresh token remember to whitelist your email address on the consent configuration page. This button is a verification that your settings are correct. You will notice that this page is updated with more information as shown below confirming that everything is working as configured.

Login page configuration

Let's show this button as below the login with google cloud identity.
Create a new file LoginPageConfig.json under Metadata files/files path on your workbench.
Create the content of this file as shown below.
"tilloAuthentication" : true,
"oidc_authentications" : [
"type" : "authorization_code",
"serviceName" : "GoogleWB",
"loginButtonLabel" : "",
"loginButtonImage" : "/$org_name$/shared/static/img/btn_google_signin_dark_normal_web.png",
"description": "",
"postAuthenticationRedirectUrl" : "",
"cssClassName" : "google-sign-in-btn"

Resolving the unauthorized access

The application does not allow any new person with a Google account to enter unless it is permitted and configured by the administrator. Such a person will get the following message.
Unauthorization message
This message can be further customize by the administrator to help users contact and create their accounts. There is an HTML file in the container that can be edited to be as helpful as possible. The file is located at /nfsmnt/repo/cloud/shared/domainMeta/htmlTemplates/OAuth2PreAuthRequired.htm
This file can be edited directly inside the shell using vi or nano editor. Note that this file is only available in the latest version (4.0.634 or greater) of the container. Also in order to reach the shell please consult the Google cloud console documentation.
Last modified 5mo ago