Certainly! Here’s how you can approach integrating Google Workspace, Ory Network, and AWS using OIDC, based strictly on the provided knowledge sources. --- ### 1. Configure Authentication Between Google Workspace and Ory Network via OIDC To allow users to authenticate to your Ory Network project using their Google Workspace accounts (i.e., "Sign in with Google"), you need to set up Google as a social sign-in (OIDC) provider in Ory Network.
Steps: 1.
Create OAuth Credentials in Google Cloud Console: - Go to [Google Cloud Console](
https://console.cloud.google.com/apis/credentials). - Create a new OAuth 2.0 Client ID (type: Web application). - Add the Ory Network-provided Redirect URI to the list of authorized redirect URIs. You get this URI from the Ory Console during provider setup. - Save the generated Client ID and Client Secret for later use. - Ensure the OAuth consent screen is configured and published. 2.
Configure Google as a Provider in Ory Network: - In the [Ory Console](
https://console.ory.sh/projects/current/social-signin), go to
Authentication →
Social Sign-In. - Click the switch next to the Google logo to start configuration. - Paste the Client ID and Client Secret from Google Cloud Console into the Ory Console fields. - Save the configuration to enable Google as a social sign-in provider. - Optionally, configure additional scopes and data mapping for user profile enrichment ([see data mapping example](
https://www.ory.sh/docs/kratos/social-signin/google#data-mapping)).
Result: Users can now authenticate to your Ory Network project using their Google Workspace credentials via OIDC. Ory handles the OIDC flow, and you can map Google claims to your identity schema as needed. [Reference: Ory Docs - Google Social Sign-In](
https://www.ory.sh/docs/kratos/social-signin/google) [Reference: Ory Docs - Social Sign-In Setup](
https://www.ory.sh/docs/identities/get-started/social-sign-in) --- ### 2. Configure Redirect to AWS via OIDC Using Authentication Token from Ory Network To use Ory Network as an OIDC Identity Provider (IdP) for AWS (e.g., for AWS SSO or Cognito), you need to configure AWS to trust Ory Network as an external OIDC IdP.
General Steps (based on OIDC standards): 1.
Obtain Ory Network OIDC Endpoints: - The Ory Network project acts as an OIDC provider. The Issuer URL is your Ory Network project URL (e.g., `
https://your-project-slug.projects.oryapis.com/`). 2.
Configure AWS to Trust Ory Network: - In AWS (e.g., IAM Identity Center or Cognito), add a new OIDC provider. - Enter the Ory Network Issuer URL. - Provide the client ID (registered in Ory Network for AWS). - Add the appropriate redirect/callback URIs (AWS will provide these; you must register them in Ory Network as valid redirect URIs for the client). - Download and upload the Ory Network OIDC provider’s metadata if required. 3.
User Authentication Flow: - When a user attempts to access AWS, they are redirected to Ory Network for authentication. - After successful authentication (e.g., via Google Workspace as described above), Ory Network issues an ID token. - The user is redirected back to AWS with the OIDC token, and AWS grants access based on the token claims.
Note: The knowledge sources do not provide a step-by-step AWS configuration guide, but the process follows standard OIDC integration patterns. You must ensure that the Ory Network client configuration includes AWS’s redirect URIs and that the scopes/claims required by AWS are mapped appropriately. [Reference: Ory Docs - OIDC/OAuth2 Overview](
https://www.ory.sh/docs/guides/oauth2-oidc) [Reference: Ory Docs - OIDC Provider Setup](
https://www.ory.sh/docs/kratos/social-signin/ory) ---
Summary: - Set up Google as a social sign-in provider in Ory Network to authenticate users via Google Workspace. - Register Ory Network as an OIDC IdP in AWS, configure the client and redirect URIs, and use the Ory-issued tokens for AWS authentication. If you need detailed AWS-side configuration, please refer to AWS documentation, as the Ory knowledge sources do not cover that part.