Google OAuth2 with RStudio Connect

Follow

This article is based on this section of the administrator's guide.


OAuth2 authentication is available to authenticate against the Google OAuth2 service. RStudio Connect will use OAuth2 authentication if the Authentication.Provider setting has a value of oauth2:

[Authentication]
Provider = oauth2

The appendix in the administrator's guide contains information about each OAuth2 configuration option.

In order for RStudio Connect to use Google as an OAuth2 service, you will need a client ID and client secret.

Obtaining a Client ID and Client Secret

These instructions tell you how to obtain an OAuth2 client ID and client secret. We recommend a distinct set of credentials for each application you configure to use the Google OAuth2 service.

  1. Visit the Google Developers Console and create a new project. Give it a name of your choosing, such as “rstudio-connect”.
  2. Once the project is created, locate and enable the “Google+ API”.
  3. In the left navigation window, click on “Credentials”, then goto the “OAuth consent screen” tab, fill in the information requested and click “Save”.
  4. Once again, click “Credentials” in the left navigation window. Then click the dropdown button “New credentials”, then “OAuth client ID”.
  5. For “Application Type”, select “Web Application”. Then give your client ID a descriptive name. For “Authorized JavaScript origins”, enter your RStudio Server URL (i.e. https://HOST:PORT). For “Authorized redirect URIs”, use your RStudio Connect server address with /__login__/callback(i.e. https://HOST:PORT/__login__/callback).
  6. Click “Create”. Your client ID and client secret will be shown to you.

Add the client ID and secret to your configuration file as shown in the example below.

[OAuth2]
DiscoveryEndpoint = https://accounts.google.com/.well-known/openid-configuration
ClientId = <CLIENT ID>
ClientSecret = <CLIENT SECRET>

With DiscoveryEndpoint, ClientId and either ClientSecret or ClientSecretFile configured, you can use your Google Apps account to sign into RStudio Connect!

Restricting access

The default configuration allows all Google account holders to access RStudio Connect. We recommend that you limit access to specific domains that are used by your organization.

Verify that you can use your Google Apps account to sign into RStudio Connect before attempting to configure access restrictions.

The OAuth2.AllowedDomains setting specifies the set of domains that are allowed to access your RStudio Connect server. Multiple domains should be space-separated.

[OAuth2]
AllowedDomains = company.com subsidiary.com

You may also restrict access by email address if using domain alone is insufficient. TheOAuth2.AllowedEmails setting specifies the set of email addresses that are allowed to access your RStudio Connect server. Multiple addresses should be space-separated.

[OAuth2]
AllowedEmails = jdoe@company.com asmith@subsidiary.com

It is important to understand how the AllowedDomains and AllowedEmails properties interact.

If only AllowedDomains is configured, only email addresses with a listed domain will be permitted access.

If only AllowedEmails is configured, only listed email addresses will be permitted access.

When both AllowedDomains and AllowedEmails are specified, email addresses given inAllowedEmails are permitted access in addition to email addresses with a domain listed inAllowedDomains.

Searches

RStudio Connect allows users to search for collaborators against the user directory associated with your Google Apps account. That search is performed on behalf of the current user. Different accounts may have different visibility within the user directory and therefore will see different results. This is most obvious when you have configured RStudio Connect to allow access to two different domains. Users incompany.com, for example, will likely not be able to search for colleagues in subsidiary.com.

RStudio Connect augments the Google Apps user directory search with a local search across its set of known accounts. Once your colleague has created their own RStudio Connect account, they will become discoverable.

Comments