Google OpenID Setup

Warning

Be mindful when configuring OpenID providers that are public. Any user that can successfully authenticate with the provider will have access to your deployment of Kasm Workspaces. While access to Kasm Workspace apps and desktops can be resitricted with Kasm group permissions, any user of the public authentication provider would still be able to login to your deployment of Kasm. It is recommended to use a private OpenID provider unless your intention is to allow authentictioned access to all users of the OpenID platform provider.

This guide walks through a basic setup allowing Google users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Google OAuth App

  1. Login to the Google Developer Console: https://console.developers.google.com

  2. Select OAuth consent screen.

  3. Select External then click Create.

Warning

In this example, we walk through creating an integration where any Google user can auth with the Kasm app. This is ideal for a public facing deployment. Choose Internal if only user from your Google Workspaces corporate account should be allowed to authenticate.

../../_images/oauth_consent_create.png

OAuth Consent

  1. Provide values for the App Name , User support email, and Developer Contact email.

  2. In the Authorized Domains section, enter your deployment’s top private domain (e.g example.com).

  3. Click Save and Continue.

../../_images/oauth_consent_registration.png

App Registration

  1. Click Add or Remove Scopes.

  2. In the Update Selected Scopes window check .../auth/userinfo.email , then click Update.

../../_images/oauth_consent_scopes.png

Update Selected Scopes

  1. Click Save and Continue.

  2. Until the app is fully verified and published it can only be used to auth specific test accounts. Click Add Users to authorize several test google accounts.

  3. Click Save and Continue.

  4. In the APIs & Services menu, select Credentials.

  5. Select Create Credentials, then OAuth client ID.

../../_images/select_oauth_client_id.png

Create Credentials

  1. Select Web Application as the Application type, then give the client a name (e.g Kasm).

  2. Click Add URI in the Authorized redirect URIs section, and enter https://<kasm deployment hostname>/api/oidc_callback.

  3. Click Create.

../../_images/create_oauth_client.png

Create OAuth Client

17. A dialogue will display with a Client ID and Client Secret. Save these values for the next configuration steps. The JSON download will also include URLs needed for the next configuration steps.

../../_images/client_secret1.png

Client ID and Client Secret

Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> OpenID -> Add Config.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.

Property

Value

Display Name

Continue with Google

Logo URL

https://www.google.com/favicon.ico

Enabled

Checked

Auto Login

Unchecked

Hostname

<Empty>

Default

Checked

Client ID

<Client ID From Google OAuth App>

Client Secret

<Client Secret from Google OAuth App>

Authorization URL

https://accounts.google.com/o/oauth2/auth

Token URL

https://oauth2.googleapis.com/token

User Info URL

https://www.googleapis.com/oauth2/v1/userinfo

Scope

openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile

Username Attribute

email

Groups Attribute

Unchecked

Debug

Unchecked

../../_images/kasm_oidc_configuration1.webp

Kasm OIDC Configurations

  1. Click Save to save the changes.

Google Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.

../../_images/login2.webp

Login Screens

  1. Click Continue with Google.

  2. The user is redirected to Google for auth.

../../_images/authorization2.png

Google Auth

  1. Upon completion, the user is logged into the Kasm app.