Hello, everyone. I recently began tinkering with a BrowZer test deployment, to leverage my organization's Google Workspace domain for the IdP to provide dark remote access to an onsite web application server.
I've managed to get BrowZer configured after two laborous weeks. I've even configured a Google Cloud project with OAuth 2 client credentials. The current issue I am repeatedly running into is a 1013 BrowZer error message that says my Google client ID at the accounts.google issuer "must be a single page application." I've researched this for days without any indications as to where this could point me.
Has anyone been able to configure BrowZer to work directly with Google as an IdP, or do I just need to go with third party federated services and save the hassle?
Hi @infosecreg, welcome to the community and to OpenZiti and thanks for reaching out!
I'm sorry you spent days on this. I've also spent a bunch of time on it in the past. I'm currently working through adding IdP related walkthroughs for different IdPs and hit similar snags with Google. If you're interested, I could bore you with the details but the short answer is with the release last week of OpenZiti 1.4.x stream we have added functionality that we believe will work with Google. Specifically, the ability to choose which token from the IdP OpenZiti will use for authentication.
We are in the midst of rolling out changes to the ZAC to enable this functionality and I believe BrowZer is in the process of being modified to adapt to this as well. I believe we are going to drive the IdP information via the OpenZiti Controller's ext-jwt-signer, similar to what we are doing for the tunnelers. @curt can keep me honest here, but I think that's the plan still.
When done, the BrowZer configuration section should become a bit easier and we'll make sure to verify using Goolge as well. This came up on a different post not long back here ZDEW and Google OIDC. A relatively quick and painless way around this is to federate to Google either through someone like Auth0, Keycloak, Zitadel, etc. If you're just testing things out, that might keep you moving along while we get the pieces in place for directly using Google.
Hopefully that helps, but if not let us know. Cheers
1 Like
Hello, Clint. Thank you for the response.
I had already read through that ZDEW/Google OIDC thread, suspected this was core issue I was having also, but I had no way to confirm it so I decided to post about it separately. Google always finds a way to keep things "interesting" lol.
It's good to hear this issue is being acknowledged and addressed. I will certainly setup federated third party services in the meanwhile as a workaround.
Thanks again to the entire NetFoundry team for your tireless contributions to zero trust methodologies and to the open source community. Thank your for ZitiTV and its many videos I have watched and learned from. Keep up the phenomenal work!!
2 Likes
Definitely true, although it's not only Google. Other IdPs keep it interesting in different ways and other IdPs also don't provide an access token in a format that's usable by OpenZiti as is.
Thanks for the kind words, the team always appreciates it! I'll follow up here and on that other thread when I get through making a doc for Google and when I can verify BrowZer.
Cheers