Timshel
commented
2 weeks ago Hey,
Do you think it would be possible in some way to generalize the group mapping implementation to call this kind of endpoints with the access_token provided from the IDP to get the list of groups, rather than trying to get them from the ID token?
As far as I'm aware it would be specific to Google since no other provider has this issue and the endpoint in question is not present in the openid-configuration.
The cleanest way to implement it would be to call the endpoint when SSO_AUTHORITY=https://accounts.google.com and SSO_ORGANIZATIONS_INVITE=true but at the moment I prefer not to add provider specific logic.
MattiaEffendi
Vaultwarden Build Version
1.32.2-1
Details
I don't understand how can I setup the Google directory group to Bitwarden organization mapping. I've tried to add to the OpenID scopes the value
https://www.googleapis.com/auth/admin.directory.group.member.readonly(which should return the user groups) but the ID token still doesn't have that value.I still haven't tried on Bitwarden, just using the Google OAuth Playground and JWT.io to see if the ID Token contained the expected value. Is there a guide on how to set-up this for Google? In the SSO.md file i only see it explained for Microsoft AD.
Did a little bit of searching, Google doesn't look to support in any way to return the
groupsclaim in the ID token, as seen on this issue on their issue tracker.The good news is, though, that there is an endpoint in the Admin API that allows to get the user groups. Do you think it would be possible in some way to generalize the group mapping implementation to call this kind of endpoints with the
access_tokenprovided from the IDP to get the list of groups, rather than trying to get them from the ID token?By the way, thank you for your work. Truly an amazing effort to add the SSO feature