Use these instructions set up Google as your SSO provider for Tonic.
To configure Google SSO:
- 1.
- 2.Create and configure a service account to read user groups - In addition to the above, requires the Google workspace administrator.
The OAuth client ID is sufficient to enable logging in with your Google account, but no groups are parsed. If the service account is misconfigured, the login succeeds without the groups being parsed and a warning is logged to the server with more details. For the provided links, it is assumed that the user is logged into their administrative account and using the same project.
- 2.Click Create credentials, located near the top.

Create Credentials option for Google
- 3.Select OAuth client ID.

Create OAuth Client ID panel
- 4.Select Web application as the application type.
- 5.Choose a name.
- 6.Under Authorized redirect URIs, add the URL of the Tonic server with the endpoint /sso/callback.
- For example, a local tonic server at http://localhost:3000 would need http://localhost:3000/sso/callback to be set as the redirect URI
- Also note that internal URLs might not work:

Redirect URIs
- 7.Note the client ID and client secret. You will need to provide them to Tonic.

TONIC_SSO_CLIENT_ID
: <client id of oauth credentials>TONIC_SSO_CLIENT_SECRET
: <client secret of oauth credentials>TONIC_SSO_PROVIDER
:google
To set up the service account:
For official documentation, see https://cloud.google.com/iam/docs/creating-managing-service-accounts and https://cloud.google.com/iam/docs/creating-managing-service-account-keys.
- 2.Click Create service account, located near the top

Create service account panel
- 3.Skip all the subsequent optional steps.
- 4.After you create the service account, select it and go into the Keys tab.

Keys tab
- 5.Select Add Key -> Create new key and select JSON as the key type. The browser automatically downloads a json file.
- 6.The json file must be base64 encoded to set it as a variable in your Docker Compose file. An example command to do this is:
cat /path/to/json/file | base64 -w 0
The long output of this command is set as the value ofTONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64
in the Docker Compose file - 7.Take note of the service account email. You will need this later.
- 2.Click Enable if it is not yet enabled.

Admin SDK API panel
- 1.
- 2.Select Groups Reader from the list of predefined roles.
- 3.Click Assign Roles -> Assign service accounts.
- 4.Copy the service account email into the box, then click Add.
- 5.To save these changes, click Assign Role.
TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64
: <base64 encoded json key>TONIC_SSO_DOMAIN
: <domain name>TONIC_SSO_GROUP_FILTER_REGEX
: <regex string>
The domain name is the workspace domain. For example, for [email protected], the domain is
tonic.ai
.The group filter regex is an expression that matches the groups that you want Tonic to be aware of. You can change this later. For example, the expression
.*Tonic.*
allows all groups that contain the word "Tonic".For Kubernetes,
TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64
can be provided through the tonic-sso-google-account-service-json-secret
secretLast modified 2mo ago