Skip to main content

How to Set Google OAuth2 as Identity Provider

Introduction

This basic tutorial demonstrates how to configure Google OAuth2 and integrate it with AI DIAL for identity and access management.

In AI DIAL, you can assign roles to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.

Configuration Guidelines

Configure Google OAuth2

Note: Replace <chat_url> with the actual address of your AI DIAL Chat application.

Follow these steps to configure Google OAuth2:

  1. Create an OAuth consent screen: refer Google documentation to learn how to do this.
  2. Create Client ID and Secret: click Create Credentials > OAuth Client ID and fill it with:
    • Name
    • Application Type: Web Application
    • Authorized JavaScript Origins: https://<chat_url>
    • Authorized Redirect URLs: https://<chat_url>/api/auth/callback/google
  3. Obtain and save Client ID and Client Secret from the OAuth Client modal.
  4. (Optional) Create a Group and add members: Once the application integration is set up, create the necessary Group and add members in Google Group.
  5. (Optional) Enable the Google Cloud Identity API: click ENABLE in your organization’s dashboard.

Configure AI DIAL

To enable AI DIAL Chat and AI DIAL Core to work with Google OAuth2, configure them with the necessary specific parameters.

AI DIAL Chat Settings

Add the following environment variables to AI DIAL Chat configuration. Refer to AI DIAL Chat for more details.

AUTH_GOOGLE_CLIENT_ID: "<google_client_id>"
AUTH_GOOGLE_SECRET: "<google_tenant_id>"
AUTH_GOOGLE_SCOPE: "openid email profile https://www.googleapis.com/auth/cloud-identity.groups.readonly" # Optional

AI DIAL Core Settings

Add the following parameters to AI DIAL Core static settings. Refer to AI DIAL Core for more details.

aidial.identityProviders.google.userInfoEndpoint: "https://openidconnect.googleapis.com/v1/userinfo"
aidial.identityProviders.google.rolePath: "fn:getGoogleWorkspaceGroups"
aidial.identityProviders.google.loggingKey: "sub"
aidial.identityProviders.google.loggingSalt: "loggingSalt"

Assignment of Roles

Once all the above steps are completed, including the ones marked as Optional, you can assign roles to Models, Applications, Addons, and Assistants.

In AI DIAL Core:

  • Static settings: as value for aidial.identityProviders.google.rolePath provide an API endpoint from Google OAuth2.
  • Dynamic settings: for userRoles provide a specific group name.

In this example, "google-group-name" role from the "fn:getGoogleWorkspaceGroups" API endpoint is configured for chat-gpt-35-turbo model:

"models": {
"chat-gpt-35-turbo": {
"type": "chat",
"endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
"upstreams": [
{"endpoint": "http://localhost:7001", "key": "modelKey1"}
],
"userRoles": ["google-group-name"]
}
}