Modules:Google Sign In
Contents |
Overview
Google Sign In is an Openbravo commercial module that provides Google Sign In integration (based in OAuth2 authentication) to Openbravo.
It uses common Google Apps infrastructure provided by Google Apps Integration module.
When this module is installed and configured, Log In page Google Sign In button will start working.
There are two ways to use the Google Accounts authentication service:
- Link an existing Openbravo user name with a Google Account
- Configure an instance to allow any user with a Google Account to log-in into the application. If no Openbravo user is linked to that Google Account, a new one is created using defaults.
 | You need to be aware of the security implications of enabling the second option. This feature is offered for public instances where the data is public, or for an instance behind a corporate firewall that is not public accessible. DO NOT ENABLE DEFAULT SETTINGS FOR NEW USERS IF YOUR INSTANCE IS PUBLIC ACCESSIBLE |
Creating and configuring the Google Project
- The first step is to create and configure a Google API Project which will be used by the Google Sign In feature. Note that the account used to create the project is not necessarily one of the used to login Openbravo but it will be used for API purposes.
- Go to Google Developers Console web page. The following screen will be shown:
- Click 'Create Project' button, on the top right corner. The following screen will be shown:
- Go to 'Credentials' window (it is located in the left menu inside the 'APIs & Services' section. The following screen will be shown:
- Now click on 'Configure consent screen' button. The following 2 screens will be shown:
- After clicking Create. In the form, at least the fields 'Email address' and 'Product Name' should be filled. Once the data has been introduced, click the 'Save' button:
- Go back to 'Credentials' window and click on 'Create Credentials' -> 'OAuth Client ID' button. Follow this screen:
- Fill the form with 'Application Type': 'Web application' and set a 'Name'. In the 'Authorized JavaScript origins' your Openbravo instance URL should be introduced. The 'Authorized redirect URIs' are not needed for the Login. Then click the 'CREATE' button. Similar to this screen:
- Then click the 'Download JSON' button. It will start downloading the 'Client Secrets' that will be needed later. The download button can be found after clicking on the recently created OAuth 2.0 credential. On the top bar:
Configure Google API Project in Openbravo
- Log in Openbravo as System Administrator and open 'Google Integration Configuration' window, create a new record and in 'Client Secrets' field paste the contents of the file downloaded in the previous step.
Google Account association
- Login with your existing Openbravo user
- Open the 'Google Account Association' process
- The following popup will show:
- After clicking OK, the following confirmation prompt will be shown:
- By pressing 'Accept' button you will allow your instance to access your Google Account, and the following confirmation alert will be shown:
- You can log-out and, log-in again using the 'G' button.
Remove Association
- The user can Revoke Access from his Google Account settings
- The Client Administrator can remove the record of the association User window > OpenID Identifier tab
Google Integration Preferences
New User Defaults
| | Remember: DO NOT ENABLE THIS FEATURE IF YOUR APPLICATION IS PUBLIC ACCESSIBLE |
You can define some default role for your Client. This default role is the one that will be used to create a new user if the Google Account doesn't have any other user associated.
- Open: Google Integration Preferences
- Create a new record
- Pick the most restrictive role you have.
- Note: If you want to restrict the access, you should configure a role that only allows the user to log-in. After the user creation the authentication process, the Client Administrator can define more roles for the user.
- New User Active: If the newly created user should be active by default or not.
- Default: If you have several roles configured, just the default one will be used
After configuring this default preferences, any user with a Google Account can log-in into the application. If no Openbravo user is associated a new one is created with the default previously defined.
Known Issues
When Signing In with OAuth2, Google provides a different ID than the one it provided when signing in with OpenID2. This means, Openbravo and Google account needs to be reassociated even they were previously linked. So first time each user wants to use new sign in, confirmation will be prompted again.
This affects also to auto-genrated users, this is, previously auto-generated users can't sign in again using new authentication. If user auto-generation is enabled, new users will be created on firsts sign in.
Disabling Google integration
Professional Instances
You just need to create a new Preference with the property:
- As System Administrator.
- Open the Preference window.
- Create a new Preference and pick the property: Enable Google button in Login Page.
- Set the value to: N.
Community Instances
The 'Google Sign In' button cannot be hidden.