John Dugaw
John Dugaw

Reputation: 61

Using Google OAuth2 and OpenId Connect in a mixed environment (GCP apps and on-premise)

Migrating on-premise services and applications to Google Cloud Platform and during an extended transition will be in a blended GCP, on-Prem, third party service provided platform. Looking to standardize on GCP OAuth2 provider with the OpenIdentity provider as single source of authentication and verification.

I have poured over the documentation provided by Google Identity Platform and I see Authorization As a Service which appears to be based on Firebase and is close to what I need/want but not exactly.

The Open Identity provider has an SDK and can be integrated with Web, Server, and mobile device applications. Good!

What I am looking to confirm is that I can also use the OAuth2 SDK to authenticate a user with a token, and then use that token with the OpenIdentity APIs to control user access and features. I know this is entirely possible for the GCP native applications.

Presently it looks like using SAML to integrate with another OAuth2 platform within the Identity Product and then enabling the OpenIdentity provider will meet "most" of my needs. What would be missing would be standardizing on the Google Identity Platform before we migrate all our products and services onto GCP.

The burning question, can I use the OAuth2 implementation with services and apps not hosted on GCP?

The documentation seems to suggest to me yes and no simultaneously.

Any help appreciated at his point.

Upvotes: 0

Views: 509

Answers (1)

John Dugaw
John Dugaw

Reputation: 61

See Hanley's response above. I had read the documentation available for several identity related products for Google Cloud Platform.

My question made sense to me but it does not translate to those who actually understand the the Identity Platform itself, and even say just one (1) of the integration implementation methods. Reading through the developer docs I caught upon a really important piece of perspective that answered nearly all of my questions.

In case it is helpful: - Google Sign-in uses @gmail.com (or others) google identities which applications or organizations can leverage - One can configure, create, import domain user identities using the Google Admin console - These are both considered domain entities and one can configure single sign-on (OAuth, SAML, 509x, JWT, OICD) for these by using providers, or writing custom providers - Either permits organizations and projects to utilize IAM and other Security-Identity features within GCP out of the box with minimal overhead

This covers about 90% of my initial use case and once I understood that domain user identities are either Google, or your own private domain identities created through the Admin Console through Group and User management, the remaining 10% was easy enough to solve.

I'm going to stop commenting here as this was key in understanding why things did not make sense, and why Mr. Hanley (thank you for your patience) was unable to answer my question at the beginning.

Hoping this helps someone else.

Upvotes: 1

Related Questions