Create Loft Config For Google
Loft is able to use Google’s OpenID Connect provider as an authentication source.
To tell Loft to use Google for SSO, navigate to
Admin > Config
in Loft and adjust your config as shown below:auth:
# Tell loft to use google authentication
google:
#
#
# REQUIRED CONFIGURATION
#
#
# ClientID for the google authentication. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret for the google authentication. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/google/callback
redirectURI: https://loft.my.domain/auth/google/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) defaults to "profile" and "email"
scopes: ["profile", "email"]
# (Optional) list of whitelisted domains. If this field is nonempty,
# only users from a listed domain will be allowed to log in
hostedDomains: []
# (Optional) list of whitelisted groups. If this field is nonempty,
# only users from a listed group will be allowed to log in
groups: []
# (Optional) path to service account json. If nonempty,
# and groups claim is made, will use authentication from file to
# check groups with the admin directory api
serviceAccountFilePath: /path/to/service/account.json
# (Optional) Required if serviceAccountFilePath is set. The email of
# a GSuite super user which the service account will impersonate
# when listing groups
adminEmail: myuser@mydomain.comAuthenticate via Google
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via Google.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to
Admin > Config
add these two lines to your config:auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication