Restrict domains with SSO via google

[igimot]

I use google auth with my domain for SSO.

I have domain awsome.com and I want to access only from this domain but if I try authorized from another domain (gmail.com) I have access to kafka-ui. That is not a good solution. I tried to find a solution, but nothing to find.

Maybe you have a solution?

[github-actions]

Hello there igimot! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[Haarolean]

Hey, thanks for reaching out.

Seems like there's no way to do this with configuration out of the box.

Would you verify the solution once I prepare a build with the fix?

[igimot]

Oh, that's great, sure and thanks!!!

[Haarolean]

Please try this image out. You can import it via docker load < file.tar.gz.
Also, please add this env variable:
OAUTH2_GOOGLE_ALLOWEDDOMAIN="https://example.com/"

File SHA1 6d1217ca027e5277b62583af2e875aa4df5b2ee8
Docker image ID sha256:05e6b7f1994bec1aa16f7055d08a6b672dddcde749d09c174cab6aa1bdfda8d8

image
file signature

my key to verify the signature against

[Haarolean]

Oh, guess the access token expired.

Please try these:
image
file signature
Links should be valid for 7 days (I hope).

[igimot]

oh thats great thx

[igimot]

Works)))!!
But error message not good)) output on page

"code": 5000,
"message": "Authentication within this domain is prohibited",
"timestamp": 1643101316551,
"requestId": "80d0904c-5",
"fieldsErrors": null,
"stackTrace":

I think good idea used popup message, if not allowed domain for authorizing

[Haarolean]

@igimot glad it works. Yeah, we have to adjust that. Could you please share a screenshot of such a page? Is it just blank or with some UI elements?

[igimot]

[Haarolean]

Thanks, that's not a good way to display it for sure :)

[igimot]

Hello, @Haarolean
Any updates?

[igimot]

@Haarolean ?

[Haarolean]

@igimot as soon as there are any, I'll let you know.

[Haarolean]

@igimot I need you to share the details how to create a dummy google oauth app for this purpose. My setup doesn't work the same way for some reason. Which scopes have you enabled at google cloud? Do you pass SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPE variable to kafka-ui itself? I need more details to reproduce and test the solution. If you could provide a step-by-ste pinstruction, that would be nice.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Haarolean]

I'd like this to get done if someone could provide a working setup example for google oauth

[Haarolean]

@igimot @adrianoapj can you try this image?
I've added a decent error page handling.

[github-actions]

This issue has been automatically marked as stale because no requested feedback has been provided. It will be closed if no further activity occurs. Thank you for your contributions.

[adrianoapj]

Hello!

I am having a hard time trying to setup this feature.
I tried setting OAUTH2_GOOGLE_ALLOWEDDOMAIN=mydomain both with https:// and without it, with a trailing slash and without it, and every time I am getting the same problem: it allows every account I try to sign in (tried with gmail and accounts from other domains) as if this environment variable was not even there...

Commit hash: 8636a5c

[Haarolean]

Hey, thanks for trying it out. As far as I understand, there has to be a hd request parameter present, I haven't figured it out how to do that so I just mocked the request and thought you have the same setup (seems like @igimot was able to set this param).
Let me know if you figure this out :)

[adrianoapj]

Hmm, that's weird, I checked and hd parameter is present:
https://share.cleanshot.com/sO3FPR
While my environment variable is set to:
https://share.cleanshot.com/jkoGyB
I also tested Google OAuth API directly and got this on id_token JWT:
https://share.cleanshot.com/FlpvjL

And it is still accepting my sign-in attempt 🤔

[Haarolean]

@adrianoapj how do I configure that thing on google's side so I can test a real case?

[adrianoapj]

@adrianoapj how do I configure that thing on google's side so I can test a real case?

Here is a step-by-step guide:

First, you will need a Google Cloud Platform with a project on it, if you don't have it, then you probably are eligible for a free trial (https://console.cloud.google.com/freetrial) and then get started.

1. Configure your consent screen (https://console.cloud.google.com/apis/credentials/consent). You can fill it with test values and I guess openid is enough scope in order to Kafka UI to work
2. Once your consent screen is set up, you will need to create credentials for your OAuth setup. So first open this page: https://console.cloud.google.com/apis/credentials
3. Now click on "Create Credentials" and select "OAuth Client ID"
4. Select "Web Application" as your application type and define a name for your credentials
5. For "Authorized JavaScript Origins", I recommend putting your Kafka UI URL (e.g: http://localhost:8080)
6. For "Authorized redirect URIs", you should put your redirect URL (e.g: http://localhost:8080/login/oauth2/code/google)
7. Click create and now it will show you Client ID and Client Secret
8. Set up your environment variables like this:

AUTH_TYPE=OAUTH2
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTID=936717703302-jk60kpbn0qmgo8b9nat0lengari28hlg.apps.googleusercontent.com
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTSECRET=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
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_REDIRECT_URI=http://localhost:8080/login/oauth2/code/google
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPE=openid
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_ISSUER_URI=https://accounts.google.com
OAUTH2_GOOGLE_ALLOWEDDOMAIN=mygoogleworkspacedomain.com

Please let me know if you find some trouble doing it or if you need any additional info about it :)

[Haarolean]

@adrianoapj how do I configure that thing on google's side so I can test a real case?

Here is a step-by-step guide:

First, you will need a Google Cloud Platform with a project on it, if you don't have it, then you probably are eligible for a free trial (https://console.cloud.google.com/freetrial) and then get started.

1. Configure your consent screen (https://console.cloud.google.com/apis/credentials/consent). You can fill it with test values and I guess openid is enough scope in order to Kafka UI to work
2. Once your consent screen is set up, you will need to create credentials for your OAuth setup. So first open this page: https://console.cloud.google.com/apis/credentials
3. Now click on "Create Credentials" and select "OAuth Client ID"
4. Select "Web Application" as your application type and define a name for your credentials
5. For "Authorized JavaScript Origins", I recommend putting your Kafka UI URL (e.g: http://localhost:8080)
6. For "Authorized redirect URIs", you should put your redirect URL (e.g: http://localhost:8080/login/oauth2/code/google)
7. Click create and now it will show you Client ID and Client Secret
8. Set up your environment variables like this:

AUTH_TYPE=OAUTH2
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTID=936717703302-jk60kpbn0qmgo8b9nat0lengari28hlg.apps.googleusercontent.com
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTSECRET=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
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_REDIRECT_URI=http://localhost:8080/login/oauth2/code/google
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPE=openid
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_ISSUER_URI=https://accounts.google.com
OAUTH2_GOOGLE_ALLOWEDDOMAIN=mygoogleworkspacedomain.com

Please let me know if you find some trouble doing it or if you need any additional info about it :)

Hey, thanks for the more detailed guide, I was asking regarding the hd parameter in particular. I've been able to set up the rest with the previous guide you provided but I've no idea how to make google include this param upon authentication tbh.

[adrianoapj]

@adrianoapj how do I configure that thing on google's side so I can test a real case?

Here is a step-by-step guide:

First, you will need a Google Cloud Platform with a project on it, if you don't have it, then you probably are eligible for a free trial (https://console.cloud.google.com/freetrial) and then get started.

1. Configure your consent screen (https://console.cloud.google.com/apis/credentials/consent). You can fill it with test values and I guess openid is enough scope in order to Kafka UI to work

2. Once your consent screen is set up, you will need to create credentials for your OAuth setup. So first open this page: https://console.cloud.google.com/apis/credentials

3. Now click on "Create Credentials" and select "OAuth Client ID"

4. Select "Web Application" as your application type and define a name for your credentials

5. For "Authorized JavaScript Origins", I recommend putting your Kafka UI URL (e.g: http://localhost:8080)

6. For "Authorized redirect URIs", you should put your redirect URL (e.g: http://localhost:8080/login/oauth2/code/google)

7. Click create and now it will show you Client ID and Client Secret

8. Set up your environment variables like this:

AUTH_TYPE=OAUTH2

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTID=936717703302-jk60kpbn0qmgo8b9nat0lengari28hlg.apps.googleusercontent.com

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_CLIENTSECRET=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

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_REDIRECT_URI=http://localhost:8080/login/oauth2/code/google

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_SCOPE=openid

SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_GOOGLE_ISSUER_URI=https://accounts.google.com

OAUTH2_GOOGLE_ALLOWEDDOMAIN=mygoogleworkspacedomain.com

Please let me know if you find some trouble doing it or if you need any additional info about it :)

Hey, thanks for the more detailed guide, I was asking regarding the hd parameter in particular. I've been able to set up the rest with the previous guide you provided but I've no idea how to make google include this param upon authentication tbh.

Oh, got it! Well, by default hd parameter should be there, except when you are using a Gmail account (In this case, according with documentation hd is not included).

[Haarolean]

Ahh, that might be it. I tried setting up a cloud app but tried logging in via personal account to test the feature. I'll check it out asap and will get back to you, thanks!

[Haarolean]

I've been able to receive a request with an hd param present as you described.
Let's see what's going on in your case.
Let's try this image:

and add this env. property:
LOGGING_LEVEL_COM_PROVECTUS: TRACE

Take a look at the logs, grep by 'OAuthSecurityConfig'

[Haarolean]

The image is available via docker pull public.ecr.aws/provectus/kafka-ui-custom-build:1446. We'll merge once we get at least one confirmed working case (besides mine).

[adityahex27]

@Haarolean can you please release this feature, i have tested in mine and login functionality is working for me.

[Haarolean]

@Haarolean can you please release this feature, i have tested in mine and login functionality is working for me.

that's gonna be a part of #753 within 0.5 release. We're almost done with the frontend, QA left to go.

[Haarolean]

will be a part of #753