Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google connector doesn't support Workspace group auth without domain-wide delegation #3517

Open
2 tasks done
aaaaahaaaaa opened this issue May 10, 2024 · 2 comments
Open
2 tasks done

Comments

@aaaaahaaaaa
Copy link

aaaaahaaaaa commented May 10, 2024

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Google supports authenticating with the Groups API using a service account without domain-wide delegation. AFAICT from testing, DEX's connector doesn't support that method.

Tested with the following approach:

  1. Configure service account A with access to the Group API without DWDoA using the documentation above.
  2. Grant service account B with iam.serviceAccountTokenCreator role over service account A.
  3. Point serviceAccountFilePath to credentials of SA B.
  4. Set domainToAdminEmail with email of SA A.

The following error is returned:

oauth2: cannot fetch token: 401 Unauthorized Response [...] Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested

Proposed Solution

Connector should allow the same level of configuration for example as Vault's OIDC provider.

Additional Information

Additionally, the flow should also works if serviceAccountFilePath points directly to credentials of the SA A, even without impersonation.

@ssmall
Copy link

ssmall commented Sep 3, 2024

This is currently an adoption blocker for my organization to use ArgoCD; we cannot enable domain-wide delegation because it is considered "too risky". Implementing this feature request would be great for us!

@loljawn
Copy link

loljawn commented Nov 26, 2024

Second this, I would want to avoid domain-wide delegation as it's impersonating a privileged account and it could be challenging to audit. Would prefer to use service account with tightly scoped permissions.

Terrform documentation re: Google Workspace provides an alternative that could work: https://registry.terraform.io/providers/hashicorp/googleworkspace/latest/docs#authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants