OAuth2 (Google Apps with OpenID Connect)

OAuth2 authentication is available to authenticate against the Google OAuth2 service.

RStudio Connect will use OAuth2 authentication if the Authentication.Provider setting has a value of oauth2.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
Provider = oauth2

The OAuth2 configuration appendix contains information about each OAuth2 configuration option.

In order for RStudio Connect to use Google as an OAuth2 service, you will need a client ID and client secret.

When attempting to troubleshoot a problem relating to OAuth2, you can enable more verbose logging with OAuth2.Logging:

; /etc/rstudio-connect/rstudio-connect.gcfg
[OAuth2]
Logging = true

Obtaining a Client ID and Client Secret

These instructions tell you how to obtain an OAuth2 client ID and client secret. We recommend a distinct set of credentials for each application you configure to use the Google OAuth2 service.

  1. Visit the Google Developers Console and create a new project. Give it a name of your choosing, such as "rstudio-connect".

  2. In the left navigation window, click on "Credentials", then goto the "OAuth consent screen" tab, fill in the information requested and click "Save".

  3. Once again, click "Credentials" in the left navigation window. Then click the dropdown button "New credentials", then "OAuth client ID".

  4. For "Application Type", select "Web Application". Then give your client ID a descriptive name. For "Authorized JavaScript origins", enter your RStudio Server URL (i.e. https://HOST:PORT). For "Authorized redirect URIs", use your RStudio Connect server address with /__login__/callback (i.e. https://HOST:PORT/__login__/callback).

  5. Click "Create". Your client ID and client secret will be shown to you.

Add the client ID and secret to your configuration file as shown in the example below.

; /etc/rstudio-connect/rstudio-connect.gcfg
[OAuth2]
ClientId = <CLIENT ID>
ClientSecret = <CLIENT SECRET>

With OAuth2.ClientId and either OAuth2.ClientSecret or OAuth2.ClientSecretFile configured, you can use your Google Apps account to sign into RStudio Connect!

Note: The ClientSecret or ClientSecretFile can be encrypted to avoid leakage of the credential. See the Property Types configuration appendix for details.

Restricting Access

The default configuration allows all Google account holders to access RStudio Connect. We recommend that you limit access to specific domains that are used by your organization.

Verify that you can use your Google Apps account to sign into RStudio Connect before attempting to configure access restrictions.

The OAuth2.AllowedDomain setting specifies the set of domains that are allowed to access your RStudio Connect server. Multiple domains should be entered one per line.

; /etc/rstudio-connect/rstudio-connect.gcfg
[OAuth2]
AllowedDomain = company.com
AllowedDomain = subsidiary.com

You may also restrict access by email address if using domain alone is insufficient. The OAuth2.AllowedEmail setting specifies the set of email addresses that are allowed to access your RStudio Connect server. Multiple addresses should be entered one per line.

; /etc/rstudio-connect/rstudio-connect.gcfg
[OAuth2]
AllowedEmail = jdoe@company.com
AllowedEmail = asmith@subsidiary.com

It is important to understand how the OAuth2.AllowedDomain and OAuth2.AllowedEmail properties interact.

If only OAuth2.AllowedDomain is configured, only email addresses with a listed domain will be permitted access.

If only OAuth2.AllowedEmail is configured, only listed email addresses will be permitted access.

When both OAuth2.AllowedDomain and OAuth2.AllowedEmail are specified, email addresses given in OAuth2.AllowedEmail are permitted access in addition to email addresses with a domain listed in OAuth2.AllowedDomain.

Usernames

Google OAuth2 has no notion of usernames but certain features in RStudio Connect require a username. On the user's first login or when the user is associated with some content, we derive the initial username from the user's email address without the domain. The user may be able to modify it after the first login if allowed. An administrator is always able to modify OAuth2 usernames.

The process of generating an initial username is limited to what is considered a valid username in RStudio Connect. For example, certain characters such as dashes (-) are replaced with underscores (_), shorter names are also padded with underscores. Resulting usernames longer than 64 characters are truncated as necessary and prohibited or duplicate usernames get an incremental suffix.

Searches

RStudio Connect allows users to search for collaborators against the user directory associated with your Google Apps account. That search is performed on behalf of the current user. Different accounts may have different visibility within the user directory and therefore will see different results. This is most obvious when you have configured RStudio Connect to allow access to two different domains. Users in company.com, for example, will likely not be able to search for colleagues in subsidiary.com.

RStudio Connect augments the Google Apps user directory search with a local search across its set of known accounts. Once your colleague has created their own RStudio Connect account, they will become discoverable.

Groups

Groups are supported when using OAuth2 authentication. They can be managed manually in the Dashboard or via the Connect Server API.

Note: These groups are local to RStudio Connect and have no relation to any organization groups present in Google Apps, for example.