4 Replies Latest reply on Jul 5, 2017 1:39 AM by kongphui

    Setting up google oauth for fms on EC2

    kongphui

      I am running fms16 on AWS EC2.

      I have not able to setup google oauth successfully, and I guess my allowed return url is not correct.

      This is because when I tried signing in to my fmp12 file, the option button to sign-in via google is not there, while I have created the user account in my solution file to be authenticated via google.  I have also entered the client id and client secret, which I have got from google api console.

       

      For the allowed returned url, I am using the Public DNS (IPV4) that was shown on the instance description, to substitute into "YourDomain" as in https://YourDomain:sslport/oauth/redirect

       

      I am looking out for anyone who has successfully setup google oauth with their fms running on AWS EC2, on what is the correct allowed returned url to be used.  I did not register a domain name for my EC2, not sure if this is a requisite for the oauth feature to work.

        • 1. Re: Setting up google oauth for fms on EC2
          wimdecorte

          I have it running from an EC2 instance.

           

          A couple of thoughts:

           

          1) the fact that you have a google-based account in our file will not make a difference.  It is only the FMS setup that will make that google auth button show up on the login dialog.  In fact, once you set up your FMS correctly that button will show up on the login dialog for ALL your hosted files regardless whether they have a google account or not

           

          2) you can't use the public DNS I believe, it has to be the DNS name of the custom SSL cert that you installed on your FMS.  This mechanism will not work if you don't have a custom SSL cert on your FMS and have the proper DNS management in place for it (Google has to be able to reach your redirect URL and it has to be routed to your FMS box)

           

          3) in the security profile of your EC2 instance you have to have the 443 port open

          • 2. Re: Setting up google oauth for fms on EC2
            kongphui

            - Added 443 to the security profile of EC2

            The google auth button showed up on the login dialog.  This is regardless of using SSL for database connections in the fms settings.

             

            Clicking on the button, and got invalid_request, error 400.  It said raw ip addresses not allowed.

            Is it possible to use the standard FileMaker SSL certificate, to get the oauth working?

            • 3. Re: Setting up google oauth for fms on EC2
              wimdecorte

              kongphui wrote:

               

              Is it possible to use the standard FileMaker SSL certificate, to get the oauth working?

               

              No, because the mechanism that invokes the URL will get an SSL warning, not the response they expect.  Remember that this is an authentication workflow; the 'sender' has to be 100% certain that they are talking to who they think they are talking to.

              • 4. Re: Setting up google oauth for fms on EC2
                kongphui

                Finally managed to test out google oauth using the default SSL cert from FMS16, learning from a friend who has done it.

                 

                All my above-mentioned steps were correct, except for one:

                • From open remote on FMP, the host's internet address should not be the raw IP address (nn.nnn.nnn.nnn).  I have installed FMS16 on an AWS EC2 instance, and the host's internet address should follow what AWS has given in the public DNS (IPV4) field, which for Singapore region, it is something like ec2-nn-nnn-nnn-nnn.ap-southeast-1.compute.amazonaws.com

                 

                You will then be able to play around with google oauth login for fmp files opened from this host address.  There will be warnings along the way on the SSL cert, which is ok to ignore since we are just trying out this new oauth feature and not for production run purpose.