Google Oauth user identification

[pollier]

Hello,
I'm currently playing with the auth system,
actually using nginx with http basic_auth, i would like to know if an Oauth connector like the ldap one is possible ?
If not, do you know a way to handle this with apache2 / nginx ?

[bugy]

Hi @pollier, this should be possible to add this feature, according to tornado documentation.
I'll try to do it this week

[bugy]

Hi @pollier, I made the first version of Google Oauth integration. In order to use it, add/change following settings in conf.json file:

"auth": {
    "type": "google_oauth",
    "client_id": "your_client_id",
    "secret": "your_secret"
  },

In order for oauth to work, both client and server should have connection to google servers (https://accounts.google.com and https://www.googleapis.com)

For configuring access in google, you can follow this guide: http://www.tornadoweb.org/en/stable/auth.html#google

For Oauth key, you should add the following "Authorized redirect URI": your_server_address/login
E.g. http://localhost:5000/login. If you are running the server behind reverse proxy, then the URL should match the address, visible to a user

Regarding list of allowed users - I didn't find a way how to configure allowed users in google, so I'm going to implement it in script-server. And this setting will be mandatory for google oauth (otherwise everyone would have access to it, which is quite dangerous).

[pollier]

Thank you :)
I'm quite busy this week but will test it soon 👍

[bugy]

Important change: now redirect URI in google config should be url/login.html (i.e. html page instead of rest URL)

[bugy]

Added authorization support (which users can access the server). There is a new field: "allowed_users" for auth config block. This setting is mandatory, when Google OAuth is used.
Value should be a list, e.g.:
"allowed_users": ["user1", "user2"]
If any user should be able to access the server, use asterisk:
"allowed_users": ["*"]
or
"allowed_users": "*"