This article is based on this section of the administrator's guide.
OAuth2 authentication is available to authenticate against the Google OAuth2 service. RStudio Connect will use OAuth2 authentication if the Authentication.Provider
setting has a value of oauth2:
[Authentication]
Provider = oauth2
The appendix in the administrator's guide contains information about each OAuth2 configuration option.
In order for RStudio Connect to use Google as an OAuth2 service, you will need a client ID and client secret.
Obtaining a Client ID and Client Secret
These instructions tell you how to obtain an OAuth2 client ID and client secret. We recommend a distinct set of credentials for each application you configure to use the Google OAuth2 service.
- Visit the Google Developers Console and create a new project. Give it a name of your choosing, such as “rstudio-connect”.
- Once the project is created, locate and enable the “Google+ API”.
- In the left navigation window, click on “Credentials”, then goto the “OAuth consent screen” tab, fill in the information requested and click “Save”.
- Once again, click “Credentials” in the left navigation window. Then click the dropdown button “New credentials”, then “OAuth client ID”.
- For “Application Type”, select “Web Application”. Then give your client ID a descriptive name. For “Authorized JavaScript origins”, enter your RStudio Server URL (i.e.
https://HOST:PORT
). For “Authorized redirect URIs”, use your RStudio Connect server address with/__login__/callback
(i.e.https://HOST:PORT/__login__/callback
). - Click “Create”. Your client ID and client secret will be shown to you.
Add the client ID and secret to your configuration file as shown in the example below.
[OAuth2]
DiscoveryEndpoint = https://accounts.google.com/.well-known/openid-configuration
ClientId = <CLIENT ID>
ClientSecret = <CLIENT SECRET>
With DiscoveryEndpoint
, ClientId
and either ClientSecret
or ClientSecretFile
configured, you can use your Google Apps account to sign into RStudio Connect!
Restricting access
The default configuration allows all Google account holders to access RStudio Connect. We recommend that you limit access to specific domains that are used by your organization.
Verify that you can use your Google Apps account to sign into RStudio Connect before attempting to configure access restrictions.
The OAuth2.AllowedDomains
setting specifies the set of domains that are allowed to access your RStudio Connect server. Multiple domains should be space-separated.
[OAuth2]
AllowedDomains = company.com subsidiary.com
You may also restrict access by email address if using domain alone is insufficient. TheOAuth2.AllowedEmails
setting specifies the set of email addresses that are allowed to access your RStudio Connect server. Multiple addresses should be space-separated.
[OAuth2]
AllowedEmails = jdoe@company.com asmith@subsidiary.com
It is important to understand how the AllowedDomains
and AllowedEmails
properties interact.
If only AllowedDomains
is configured, only email addresses with a listed domain will be permitted access.
If only AllowedEmails
is configured, only listed email addresses will be permitted access.
When both AllowedDomains
and AllowedEmails
are specified, email addresses given inAllowedEmails
are permitted access in addition to email addresses with a domain listed inAllowedDomains
.
Searches
RStudio Connect allows users to search for collaborators against the user directory associated with your Google Apps account. That search is performed on behalf of the current user. Different accounts may have different visibility within the user directory and therefore will see different results. This is most obvious when you have configured RStudio Connect to allow access to two different domains. Users incompany.com
, for example, will likely not be able to search for colleagues in subsidiary.com
.
RStudio Connect augments the Google Apps user directory search with a local search across its set of known accounts. Once your colleague has created their own RStudio Connect account, they will become discoverable.
Comments