Google OAuth 2.0 is a free, open source product that provides a federated identity solution to connect users to applications of various sorts, both within and outside institutions. The Video Platform's flexible SSO Module Provider framework is designed to support a wide variety of identity solutions, enabling full integration of Google OAuth 2.0 into your infrastructure.
This document is intended to guide users on how to integrate the Video Platform as an application with their Google API OAuth 2.0 system. Once configured, users will be able to give consent and authorize the Video Platform to gain access to their basic Google account information in order to log them into the Video Platform as a new or existing user.
Setup
Configuration involves adding a Video Platform redirect URI to your project in the Google API Console, then obtaining the JSON metadata file which contains all the required information to configure the Video Platform side. With the JSON file, configuring the Video Platform simply involves providing a few parameters and performing a test login. Once verified that the SSO is functional, the final step is to activate the authentication for all users of your institution.
For some steps, <organization> is to be replaced by the wildcard DNS of the organization associated with the Video Platform. As an example, for “https://hudson.yuja.com”, <organization> would be replaced by “hudson”.
Adding a Video Platform Redirect URI to the Google API Console
For instructions on how to create projects in the Google API Console, refer to the following: https://developers.google.com/identity/sign-in/web/devconsole-project
- In your Google API Console, choose or create a project associated with the Video Platform. Add the following value to the Authorized redirect URI: https://<organization>.yuja.com/D/OauthAuthentication
- Download the JSON metadata file from the Google API Console. This contains the required parameters used to configure YuJa.
Configuring the Google OAuth Integration in the Video Platform
- Login to your YuJa Zone as an IT Manager and navigate to Admin Panel → Integrations.
- Under Select an API to configure, select SSO - Google OAuth 2.0.
- Enter the following configuration parameters:
Parameter
Value
Client ID
The client ID obtained from the Google API Console.
https://console.developers.google.com
Also located in the JSON data of your project as the value of the “client_id” attribute.
Client Secret
The client secret obtained from the Google API Console. https://console.developers.google.com
Also located in the JSON data of your project as the value of the “client_secret” attribute.
Auth URI
Located in the JSON data of your project as the value of the “auth_uri” attribute.
Token URI
Located in the JSON data of your project as the value of the “token_uri” attribute.
- Click Create Configuration.
- Click OK in the confirmation dialog popup.
- To test if the configuration is correct, click Test OAuth Login. This should open a new tab and redirect to Google, which handles authentication and user consent.
- If no Google user is currently logged in, enter valid login credentials and Login. Otherwise, choose a Google account.
- Click Allow to give the Video Platform consent to access the user's basic information.
- You should be redirected back to the Video Platform, signed in as a new user.
Logging in as a new user may log the original account out. If so, log out of the newly created account and log back in as an IT Manager then navigate back to Admin Panel → Integrations → SSO – Google OAuth 2.0.
- Once you have verified that the OAuth SSO works, you can choose to activate the new authentication scheme for your organization by clicking Activate.
Only activate the new authentication scheme after successfully performing a test login and are ready to make it available for all users in your organization.
(Optional) Dual Integration with LTI
If your organization has enabled both LTI and Google OAuth SSO access, then you have the choice to link the two integrations. By default, a user logging in via both LTI and OAuth receives a separate Video Platform account for each login. If your LTI provider is configured to authenticate users via their Google account credentials, it is possible to link the two accounts as the LTI provider will give the Video Platform a unique identifier for the user in the OAuth system.
- Configure your LMS to pass a custom LTI parameter called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other field. The Video Platform will make use of this feature to link the two login techniques to the same account.
- Obtain the attribute name whose value corresponds to the unique identifier used by the LTI provider. The possible values you can use are determined by the Google API. Since the Video Platform only requests basic profile information for a specific user, the only valid attribute would be 'email'.
- Enter this value into the Admin Panel → Integrations → Select an API to Configure → SSO - Google OAuth 2.0 → Linkage Attribute and select Save Cross-Integration.
- Now, when logging in for the first time via Google OAuth, the Video Platform system will search for a link with an LTI account using the value of the linkage attribute. If found, the Google account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the Video Platform account created or found on the first login.
Usage
Once the Google API Console and the Video Platform have been properly configured and the OAuth SSO has been activated, users who navigate to your organization's Video Platform domain will be authenticated via Google OAuth 2.0, rather than the standard Video Platform login. It is easy to verify that everything has been done correctly by following the steps below:
- Navigate to the organization's Video Platform Zone.
- Press Login. This should redirect the user to Google, where they will select an account to use and give consent to allow the Video Platform to access their basic information.
- Once authorized, the user should be redirected back to the Video Platform and successfully logged in.