- A Google Project. Initialize one from the GCP Console
- An Auth0 Account
Follow the Google Identity OpenID Connect tutorial to set up OAuth 2.0
After following it, you should have:
- an OAuth 2 client on the Clients Page
- configured with an
Authorised redirect URIset tohttp://localhost:8501/oauth2callback
- configured with an
- your user consent screen configured on the Branding Page for App name and User support email
openid,.../auth/userinfo.emailand.../auth/userinfo.profileas enabled scopes in the Data Access Page
On the Streamlit side, create .streamlit/secrets.toml in local development, or from the Secrets tab in App Settings, with the following content:
- Copy the credentials
client_idandclient_secretfrom your created OAuth2 Client
[auth]
redirect_uri="http://localhost:8501/oauth2callback"
cookie_secret=<generate a long random string>
[auth.google]
client_id="XXX.apps.googleusercontent.com"
client_secret="XXXXXX-..."
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration"Use st.login("google") part in app/landing.py to enable Google Authentication from your Streamlit app.
- Create a new tenant for your app. It should come with preconfigured components for you, you're free to recreate each of them though:
- In
Authentication > Database, a default email/password database for users who don't sign up with Google - In
Authentication > Social, agoogle-oauth2connection.- You need to fill the
Client IDandClient Secretfields with values from your Google Client page - You can find the documentation to create the Google
Client IDandClient Secreton the Auth0 Marketplace. Most Social Connections are documented in the same way.
- You need to fill the
- In
Applications > Applications, a Default Regular Web Application.- Verify it is linked to the database and google-oauth connections in the
Connectionstab of the application. - If deploying, you need to add
https://HOST/oauth2callbackasAllowed Callback URLsandhttps://HOSTas `Allowed Logout URLs
- Verify it is linked to the database and google-oauth connections in the
- In
Copy the Client ID and Client Secret from the default application Settings, back into your Secrets:
[auth]
redirect_uri="http://localhost:8501/oauth2callback"
cookie_secret=<generate a long random string>
[auth.auth0]
client_id = "XXX"
client_secret = "XXX"
server_metadata_url="https://<DOMAIN>.<REGION>.auth0.com/.well-known/openid-configuration"
client_kwargs = { "prompt" = "login" }As documented on the Google Social login doc, you also need to authorize Auth0 callbacks back into your Google OAuth2 Web Application Client:
- Add your Auth0 domain
https://<DOMAIN>.<REGION>.auth0.comtoAuthorised JavaScript origins - Add
https://<DOMAIN>.<REGION>.auth0.com/login/callbacktoAuthorized redirect URIs
Use st.login("auth0") in app/landing.py to enable Google and Email/Password Authentication with Auth0 from your Streamlit app.
Link you Auth0 Web Application's API to the Default Auth0 Management API System API.
Give it the permissions for read:users, read:user_idp_tokens and read:users_app_metadata under the APIs tab for the Application.
Add an admin_email at the root top of your .streamlit/secrets.toml file. This will be the only authenticated email to get access to the admin page.
Add the Auth0 Domain to your [auth.auth0] config for Auth0 Management API:
admin_email = "XXX@test.com"
[auth]
redirect_uri="http://localhost:8501/oauth2callback"
cookie_secret=<generate a long random string>
[auth.auth0]
domain = "mydomain.auth0.com"
client_id = "XXX"
client_secret = "XXX"
server_metadata_url="https://<DOMAIN>.<REGION>.auth0.com/.well-known/openid-configuration"
client_kwargs = { "prompt" = "login" }- Use the Auth0 Python SDK for Querying and Storing Users' Data: https://auth0.com/blog/use-the-auth0-python-sdk-for-querying-and-storing-users-data/