Configuring OpenID Authorization Using GSuite

Configuring OpenID Authorization Using GSuite

OpenID is an open standard of a decentralized authentication system that allows the user to create a single account for authenticating to multiple unrelated Internet resources.

To set up OpenID authorization on the Picvario website:

Configure settings on Google:

  1. Go to https://console.developers.google.com/apis/credentials using your organization's administrator account.
  2. Create a new web application (for example, named Picvario).
  3. Get the ClientID and Client Secret in the control panel:
    MicrosoftTeams-image__7_.png
    MicrosoftTeams-image__8_.png
  4. Add the following address to the list of authorized URIs: 
 <site_url>/api/v1/users/oidc/callback

MicrosoftTeams-image__9_.png

Configure settings on Picvario:

  1. Copy the environment variable from frontend SITE_BASE_URL=< some url >.
  2. In the tenant's Options ( https://<tenant-name>.<site_url>/admin/options/option/) or in hosted versions ( https://<site_url>/admin/options/option/ ), create the parameter: 
    OPENID_AUTH_ENABLED

After the parameter is added, 11 more parameters will be created AUTOMATICALLY. You will need to change their values to:

 

KEY

VAL

PUBLIC

 

OIDC_TOKEN_USE_BASIC_AUTH

True

False

 

OIDC_RP_SIGN_ALGO

RS256

False

 

OIDC_RP_SCOPES

email profile openid

False

 

OIDC_RP_CLIENT_SECRET

(from Google)

False

 

OIDC_RP_CLIENT_ID

(from Google)

False

 

OIDC_OP_USER_ENDPOINT

https://openidconnect.googleapis.com/v1/userinfo

False

 

OIDC_OP_TOKEN_ENDPOINT

https://oauth2.googleapis.com/token

False

 

OIDC_OP_JWKS_ENDPOINT

https://www.googleapis.com/oauth2/v3/certs

False

 

OIDC_OP_AUTHORIZATION_ENDPOINT

https://accounts.google.com/o/oauth2/v2/auth

False

IMPORTANT! The Public property of all of the above-mentioned options must have the False value! (set by default)

If you want to allow anonymous users to view assets, use ALLOW_ANONYMOUS_USERS = True. This parameter must be public (Public = True) regardless of the value of the parameter itself.

To allow authorization BOTH via Gsuite AND via Picvario, the MULTI_AUTH parameter is used. This parameter is also public (Public = True).

MULTI_AUTH=True/False 

  • parameter that determines whether authentication is possible using several available methods: standard and via OpenID. In the UI, this option is displayed as a page with the standard login and password fields and an additional button at the bottom: "Sign in via corporate account". When the value is False, the authentication option is determined by the OPENID_AUTH_ENABLED.

Sequence of public key search for token verification / Option Priority:

  1. OIDC_RP_IDP_SIGN_KEY_PATH
  2. OIDC_RP_IDP_SIGN_KEY
  3. OIDC_OP_JWKS_ENDPOINT

If errors such as

SuspiciousOperation

or

JWS token verification

failed appear, make sure there is no conflict between these options. 

Only 

OIDC_OP_JWKS_ENDPOINT

should be specified for GSuite. Other options in this list should be left empty!


    • Related Articles

    • How to Customise the Appearance of Picvario

      The appearance of Picvario can be customised according to your brand visual identity. Currently, you can choose what the logo of your workspace will look like and what colour scheme will be used for some elements of the interface. To set the ...

    • Setting Up Links to the Picvario Workspace for Messengers and Social Media

      Now let’s have a look at meta tags and how to use them. When you send a link to your website via messengers or social media, it is generated automatically and does not always look user-friendly. Setting up meta tags allows you to customise links to ...

    • Active Directory Integration

      Use this function to configure authorization through the Microsoft Active Directory service of your organization. Creating the authorization server In the admin panel, find the LDAP_USERS section. Click on the Servers subsection name or use the ...

    • How to Publish Assets and Galleries with HTML Code

      You can share Picvario galleries on your website using HTML code. After creating a link to an asset or a collection in the Share section, it is possible to unload the HTML code by clicking on the < > sign. A link must be indirect. This means that the ...

    • Searching Assets and Collections

      The user can perform a simple text search in the search bar: The search bar supports two search modes: by asset and by collection. Use one of the following methods to switch between the modes: The selector to the right of the search bar before or ...