search

GAM-team / GAM

command line management for Google Workspace
https://github.com/GAM-team/GAM/wiki
Apache License 2.0
3.48k stars 466 forks source link

Allow selection of limited service account DwD scopes #1671

Open jay0lee opened 8 months ago

jay0lee commented 8 months ago

Today GAM expects users to authorize all scopes it uses for Domain-wide delegation (DwD). This is less than ideal if an admin wants to limit GAM's permissions to only certain scopes and API calls.

While admins can selectively add/remove scopes on the DwD page in the admin console which GAM links to, GAM still tries to use all the scopes it knows about for a given Google API when requesting a DwD access token which will fail if the admin removed scopes.

Possible solution:

  1. On check serviceaccount GAM should write scopes that PASS to it's config file. Something like passing_dwd_scopes.
  2. On DwD API call, GAM should:
    • get list of scopes the API endpoint uses. Note that this list can be problematic. In some cases, only one of the given scopes is required, in others more than one is required to enable all functionality of the API call. (Classroom API is like this). Also note some APIs like Chat (at least at one point) may not list scopes per API endpoint. In this case we'd need to fall back on the full list of scopes supported by the API itself (e.g. the scopes for Gmail API instead of the scopes listed for Gmail API's delegates.create endpoint)
    • get list of scopes that have PASSed check serviceaccount stored in some config setting like passing_dwd_scopes.
    • Only use scopes in both of these lists. If the resulting diff is empty (no scopes shared between both lists) then fall back to default scopes for the given API endpoint.
taers232c commented 8 months ago

Jay,

I'm looking at this. gam can already do some of what you want. gam user @. @.> update serviceaccount

Ross

Ross Scroggs @.***

On Jan 2, 2024, at 10:27 AM, Jay Lee @.***> wrote:

Today GAM expects users to authorize all scopes it uses for Domain-wide delegation (DwD). This is less than ideal if an admin wants to limit GAM's permissions to only certain scopes and API calls.

While admins can selectively add/remove scopes on the DwD page in the admin console which GAM links to, GAM still tries to use all the scopes it knows about for a given Google API when requesting a DwD access token which will fail if the admin removed scopes.

Possible solution:

On check serviceaccount GAM should write scopes that PASS to it's config file. Something like passing_dwd_scopes. On DwD API call, GAM should: get list of scopes the API endpoint uses. Note that this list can be problematic. In some cases, only one of the given scopes is required, in others more than one is required to enable all functionality of the API call. (Classroom API is like this). Also note some APIs like Chat (at least at one point) may not list scopes per API endpoint. In this case we'd need to fall back on the full list of scopes supported by the API itself (e.g. the scopes for Gmail API instead of the scopes listed for Gmail API's delegates.create endpoint) get list of scopes that have PASSed check serviceaccount stored in some config setting like passing_dwd_scopes. Only use scopes in both of these lists. If the resulting diff is empty (no scopes shared between both lists) then fall back to default scopes for the given API endpoint. — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1671, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL273JH4PWHA6RVTO6TYMRGR5AVCNFSM6AAAAABBKMNNVOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3DENZYHE4DMMI. You are receiving this because you are subscribed to this thread.