Mobile web and Android App: how to log in with Google Oauth2 OpenID?

F

fixjunk

Member
Nov 14, 2020
23
14
8
I'm using google as my oauth2/openid login provider and have it working nicely to log in to my local proxmox install via a web browser.

I realized the other day that the mobile interface and the Proxmox mobile app do not allow for the use of Oauth logins. If I select that realm, it still presents me with a username and password field I don't know what to do with.

I know I can create regular PAM users to log in but that's... inelegant?
 
fixjunk said:
I'm using google as my oauth2/openid login provider and have it working nicely to log in to my local proxmox install via a web browser.

I realized the other day that the mobile interface and the Proxmox mobile app do not allow for the use of Oauth logins. If I select that realm, it still presents me with a username and password field I don't know what to do with.

I know I can create regular PAM users to log in but that's... inelegant?
Click to expand...
G'day mate,
Sorry to resurrect a dead thread.

Are you able to provide a link or some guidance on how to set up Google as an OpenID provider in Proxmox?
I'm getting an error 500 and I'm not sure what I've got wrong!

Thanks,
 
It's been a while since I set this up, but I will do my best to give the best information I can remember:
The basic instructions are here: https://support.google.com/cloud/answer/6158849?hl=en for reference.
For proxmox users: https://pve.proxmox.com/wiki/User_Management
Do not enter the quotes in the text fields.

Using Google Auth with Proxmox​


In Google Cloud Console:​

For Creating Credentials​

  1. Head to https://console.cloud.google.com/ and log in with the account you want to use for google auth
  2. In the pulldown at the top to the right of "Google Cloud" select an existing project or create a new one (e.g. "Proxmox Auth")
  3. Select "API & Services" from Quick Access or the sandwich menu on the upper left
  4. Select "Credentials" and click "+ Create Credentials" and select "OAuth Client ID"
  5. For application type, select "Web Application" and give it a helpful name (see below if it asks you for a consent screen)
  6. For Authorized Javascript Origins, you'll want to enter your full hostname with FQDN for Proxmox, e.g. https://proxmox.domain.com
  7. For Authorized redirect URIs, enter the page you accually access for Proxmox with port, e.g. https://proxmox.domain.com:8006
  8. Save.
  9. A window will pop up with a Client ID and Client Secret. You can always come back to these from the Credentails page by clicking on the name you entered above.

For Oauth Consent Screen​

  1. If at any point above you're asked to create a consent screen, go ahead and click "Configure Consent Screen"
    1. Generally this only happens if you've come to the credentials page again after the first time.
  2. Select the type of access. Internal means restricted to the workspace domain you're currently using. (This is what I use to shrink the pool of potential logins). Click "Create"
  3. Add an app name, pick an existing email for support, add a logo if you want.
  4. Add your host+FQDN as above (e.g. https://proxmox.domain.com) to App Domain
  5. you can leave the privacy policy and TOS links blank.
  6. Add your Authorized Domains. These must match the workspace account from which you're logging in. These will likely autofill from your earlier domain entries.
  7. Add a developer email and click "Save and Continue"

For Scopes​

  1. Click Add or Remove Scopes
  2. I made some guesses here. I added these to "Non-sensitive scopes":
    1. ./auth/userinfo/.profile
    2. ./auth/userinfo/.email
    3. openid
  3. Select the checkboxes for the above scopes and click "Update" in the modal window.
  4. I did not add anything to sensitive / restricted scopes.
  5. click "Save and Continue"
  6. Review the summary and click "Back to Dashboard"
  7. I don't think an "Internal" OAuth Consent will request a verification check so I won't cover that here.

In Proxmox​

Initial Setup for Auth​

  1. Click on Datacenter in the tree
  2. Scroll down to Permissions, expand that subtree, and click Realms
  3. Click "Add" and select OpenID Connect Server
  4. Add the Issuer URL of https://accounts.google.com
  5. In the "Realm:" field, add something like "GoogleAuth" (You see this later when adding users)
  6. Paste the Client ID and Client Key (aka Client secret) from the Google credentials page.
  7. Do not check "autocreate users"
  8. Select Username Claim of "email"
  9. For Scopes enter "email profile openid" (leaving spaces between scopes)
  10. For Prompt select "login"
  11. Select if you want this realm to be default and enter a useful comment. Leave ACR Values blank
  12. Click Add.

Adding users in Proxmox​

  1. Under the permissions subtree, select Users
  2. Click Add
  3. For the User Name enter the workspace account email address (e.g. user@domain.com where the domain is the one setup above in google)
  4. Add the user to any groups and add any metadata you like here. You probably want to add the same email to the email field.
  5. Proxmox will append "@<realmname>" to the username so it may look like user@domain.com@GoogleAuth
  6. click Add

Groups and permissions​

  1. I added my primary google auth user as an admin. You can probably find better guides for this but in short:
  2. Click on Permissions
  3. Click Add, then User Permission
  4. For Path click /
  5. User: your new google auth user@domain.com@googleauth
  6. Select a Role (e.g. Administrator)
  7. Click Add
I think that's it. Once you log out, you should be able to log back in with google.
Note that since you are not logging in as root, you have a few limited permissions--I don't think you can perform system updates for example.
 
  • Like
Reactions: depoultry, gofflotn, zodiaq and 4 others
trentnbauer said:
G'day mate,
Sorry to resurrect a dead thread.

Are you able to provide a link or some guidance on how to set up Google as an OpenID provider in Proxmox?
I'm getting an error 500 and I'm not sure what I've got wrong!

Thanks,
Click to expand...
@trentnbauer wrote you a little instruction set above. hope it helps!
 
fixjunk said:
It's been a while since I set this up, but I will do my best to give the best information I can remember:
The basic instructions are here: https://support.google.com/cloud/answer/6158849?hl=en for reference.
For proxmox users: https://pve.proxmox.com/wiki/User_Management
Do not enter the quotes in the text fields.

Using Google Auth with Proxmox​


In Google Cloud Console:​

For Creating Credentials​

  1. Head to https://console.cloud.google.com/ and log in with the account you want to use for google auth
  2. In the pulldown at the top to the right of "Google Cloud" select an existing project or create a new one (e.g. "Proxmox Auth")
  3. Select "API & Services" from Quick Access or the sandwich menu on the upper left
  4. Select "Credentials" and click "+ Create Credentials" and select "OAuth Client ID"
  5. For application type, select "Web Application" and give it a helpful name (see below if it asks you for a consent screen)
  6. For Authorized Javascript Origins, you'll want to enter your full hostname with FQDN for Proxmox, e.g. https://proxmox.domain.com
  7. For Authorized redirect URIs, enter the page you accually access for Proxmox with port, e.g. https://proxmox.domain.com:8006
  8. Save.
  9. A window will pop up with a Client ID and Client Secret. You can always come back to these from the Credentails page by clicking on the name you entered above.

For Oauth Consent Screen​

  1. If at any point above you're asked to create a consent screen, go ahead and click "Configure Consent Screen"
    1. Generally this only happens if you've come to the credentials page again after the first time.
  2. Select the type of access. Internal means restricted to the workspace domain you're currently using. (This is what I use to shrink the pool of potential logins). Click "Create"
  3. Add an app name, pick an existing email for support, add a logo if you want.
  4. Add your host+FQDN as above (e.g. https://proxmox.domain.com) to App Domain
  5. you can leave the privacy policy and TOS links blank.
  6. Add your Authorized Domains. These must match the workspace account from which you're logging in. These will likely autofill from your earlier domain entries.
  7. Add a developer email and click "Save and Continue"

For Scopes​

  1. Click Add or Remove Scopes
  2. I made some guesses here. I added these to "Non-sensitive scopes":
    1. ./auth/userinfo/.profile
    2. ./auth/userinfo/.email
    3. openid
  3. Select the checkboxes for the above scopes and click "Update" in the modal window.
  4. I did not add anything to sensitive / restricted scopes.
  5. click "Save and Continue"
  6. Review the summary and click "Back to Dashboard"
  7. I don't think an "Internal" OAuth Consent will request a verification check so I won't cover that here.

In Proxmox​

Initial Setup for Auth​

  1. Click on Datacenter in the tree
  2. Scroll down to Permissions, expand that subtree, and click Realms
  3. Click "Add" and select OpenID Connect Server
  4. Add the Issuer URL of https://accounts.google.com
  5. In the "Realm:" field, add something like "GoogleAuth" (You see this later when adding users)
  6. Paste the Client ID and Client Key (aka Client secret) from the Google credentials page.
  7. Do not check "autocreate users"
  8. Select Username Claim of "email"
  9. For Scopes enter "email profile openid" (leaving spaces between scopes)
  10. For Prompt select "login"
  11. Select if you want this realm to be default and enter a useful comment. Leave ACR Values blank
  12. Click Add.

Adding users in Proxmox​

  1. Under the permissions subtree, select Users
  2. Click Add
  3. For the User Name enter the workspace account email address (e.g. user@domain.com where the domain is the one setup above in google)
  4. Add the user to any groups and add any metadata you like here. You probably want to add the same email to the email field.
  5. Proxmox will append "@<realmname>" to the username so it may look like user@domain.com@GoogleAuth
  6. click Add

Groups and permissions​

  1. I added my primary google auth user as an admin. You can probably find better guides for this but in short:
  2. Click on Permissions
  3. Click Add, then User Permission
  4. For Path click /
  5. User: your new google auth user@domain.com@googleauth
  6. Select a Role (e.g. Administrator)
  7. Click Add
I think that's it. Once you log out, you should be able to log back in with google.
Note that since you are not logging in as root, you have a few limited permissions--I don't think you can perform system updates for example.
Click to expand...
Thanks you so much for this guide, I've been searching something like this for like a month now. I love you <3.
 
  • Like
Reactions: fixjunk
How has it been over a year and oauth still not implemented for Mobile app/webapp?
 
Last edited:
Neobin said:
Please elaborate where exactly and for which Proxmox product(s) you/one has to pay.
Click to expand...
Don't be one of "those guys" mate. Nobody deserves your undying loyalty, this is not a clan or cult. Chill out.

I'm allowed to constructively criticise a product when I believe it doesn't live up to expectations in particular areas.
 
mattyman said:
I'm allowed to constructively criticise
Click to expand...

Yes, welcome. But please do not write wrong facts, no one "sold" you a feature complete mobile app.
 
tom said:
Yes, welcome. But please do not write wrong facts, no one "sold" you a feature complete mobile app.
Click to expand...
They are selling licenses to a product which is missing features from it's mobile app. I'd call that selling an unfinished product. What I said was not an untrue statement.
 
mattyman said:
They are selling licenses to a product which is missing features from it's mobile app. I'd call that selling an unfinished product. What I said was not an untrue statement.
Click to expand...

Proxmox does not sell any licenses, all Proxmox products are open source and licensed under AGPLv3.

(We sell support and services for these open source products).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom