Boltbase

Appearance

Google OIDC Setup

Configure Boltbase with Google as OIDC provider.

Prerequisites

  • Google Cloud account or Google Workspace
  • Access to Google Cloud Console

Setup Steps

1. Create OAuth 2.0 Client ID

  1. Go to Google Cloud Console
  2. Select or create a project
  3. Navigate to "APIs & Services" > "Credentials"
  4. Click "Create Credentials" > "OAuth client ID"
  5. Configure OAuth consent screen if prompted:
    • User Type: Internal (for Google Workspace) or External
    • Add required scopes: email, profile, openid
  6. Application type: "Web application"
  7. Add authorized redirect URI:
    http://localhost:8080/oidc-callback
    For production:
    https://boltbase.example.com/oidc-callback
  8. Save and copy the Client ID and Client Secret

2. Configure Boltbase

YAML Configuration

yaml
# ~/.config/boltbase/config.yaml
auth:
  oidc:
    client_id: "123456789012-abcdefghijklmnopqrstuvwxyz012345.apps.googleusercontent.com"
    client_secret: "GOCSPX-1234567890abcdefghijklmno"
    client_url: "http://localhost:8080"
    issuer: "https://accounts.google.com"
    scopes:
      - "openid"
      - "profile"
      - "email"

Environment Variables

bash
export BOLTBASE_AUTH_OIDC_CLIENT_ID="123456789012-abcdefghijklmnopqrstuvwxyz012345.apps.googleusercontent.com"
export BOLTBASE_AUTH_OIDC_CLIENT_SECRET="GOCSPX-1234567890abcdefghijklmno"
export BOLTBASE_AUTH_OIDC_CLIENT_URL="http://localhost:8080"
export BOLTBASE_AUTH_OIDC_ISSUER="https://accounts.google.com"
export BOLTBASE_AUTH_OIDC_SCOPES="openid,profile,email"

boltbase start-all

Google Workspace Setup

Domain-Wide Access

For Google Workspace domains:

yaml
auth:
  oidc:
    client_id: "your-client-id"
    client_secret: "your-secret"
    client_url: "https://boltbase.company.com"
    issuer: "https://accounts.google.com"

Specific User Access

yaml
auth:
  oidc:
    # ... google config ...
    whitelist:
      - "admin@company.com"
      - "devops-team@company.com"
      - "ci-bot@company.com"

Production Configuration

yaml
# Production with HTTPS
auth:
  oidc:
    client_id: "your-production-client-id"
    client_secret: "your-production-secret"
    client_url: "https://boltbase.example.com"
    issuer: "https://accounts.google.com"

# Also enable TLS
tls:
  cert_file: "/etc/ssl/boltbase.crt"
  key_file: "/etc/ssl/boltbase.key"

Testing

  1. Start Boltbase:

    bash
    boltbase start-all

  2. Open browser to http://localhost:8080

  3. You should be redirected to Google login

  4. After login, redirected back to Boltbase

  5. Check browser developer tools for cookie named oidc-token

Notes

  • Google client IDs look like: [numeric]-[random].apps.googleusercontent.com
  • Client secrets start with GOCSPX- for newer applications
  • Google supports wildcard redirect URIs for localhost development
  • Session duration is 24 hours
  • Google issuer is always https://accounts.google.com

Released under the MIT License.

Copyright © 2024 Boltbase Contributors