Comment on page
Configure PlaceOS Auth Source for Google
- PlaceOS BAckoffice Administrator Access
client_id
andsecret
obtained from Google.
- 1.In PlaceOS Backoffice navigate to the Domains tab.
- 2.Select the domain you would like to add Microsoft Authentication to.
- 3.Click the Authentication Tab.
- 4.Identify the OAuth Source previously created.
- 5.Click the Edit Icon.
- 6.Update missing fields per the table below
These fields are specific to the OAuth2 provider and tend to differ slightly between providers.
name
: a friendly name for this authentication configurationclient_id
: the id provided by the OAuth2 provider when you added a new applicationclient_secret
: as abovesite
: the URL of the application requesting access (https://poc.placeos.com
in the screenshot above)scope
: the scopes, space separated, for the APIs that are intended to be accessedtoken_method
: POST or GET, Google uses a POST to obtain a tokenauthentication_scheme
: do we use request params or request body to obtain a token, Google uses the bodytoken_url
: the URL to obtain a token from, Googles ishttps://oauth2.googleapis.com/token
user_profile_url
: the is is the URL we can use to test the OAuth2 token and obtain user detailsinfo_mappings
: this maps PlaceOS fields to User Profile fieldsauthorize_params
: query params to pass along with the authorize URLensure_matching
: authorization response fields that should match
An example configuration that works with Google
- scope:
profile email
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/userinfo.email
- token method:
POST
- Auth Scheme:
Request Body
- Info Mappings: (PlaceOS -> Google)
- email -> email
- first_name -> given_name
- last_name -> family_name
- uid -> sub
- image -> picture
- access_token -> token
- refresh_token -> refresh_token
- expires -> expires
- expires_at -> expires_at
- Authorise Params
- access_type -> offline (this will return a refresh token)
- prompt -> consent (ensures we are always sent a new refresh token on login)
- Ensure Matching
- hd -> my.google.apps.domain (typically the domain after the @ in your login name)
The above stores a refresh token against each user for scoped directory access.
A simpler version if token based access isn't required could be:

Last modified 1yr ago