search

aws-samples / amazon-q-slack-gateway

MIT No Attribution
79 stars 28 forks source link

offline_access scope doesn't support by Google Workspace #44

Open avihuCohenAllCloud opened 3 months ago

avihuCohenAllCloud commented 3 months ago

Hello, I'm trying to integrate the Slack GateWay with our Google Workspace. I change the AllowedPattern of OIDCClientId in convert-cfn-template.js to "." and I changed the validation for the OIDCClientId in the /bin/environment.sh file to "."

After making the changes above the Cloudformation Stack was successfully deployed. I followed the instruction to complete the Deployment of the Slack bot. When I trying to interact with the bot, it asked me to sign in to AmazonQ, when pressing the Sign in button I'm getting the following error:

Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.email], invalid=[offline_access]} Learn more about this error If you are a developer of SlackGateWay, see error details. Error 400: invalid_scope

It looks like the offline_access in session-helpers.ts file is not supported by Google Workspace.

Thanks, Avihu

leenmin-aws commented 3 months ago

Hi, at this time we are not actively supporting Google as an identity provider. If you follow the developer README, you can deploy a workaround for your stack.

You may configure the session-helper to remove offline_access as a scope and provide a different means of requesting the refresh token.

avihuCohenAllCloud commented 3 months ago

Ok, I understand. And how about supporting AWS Cognito with Google Workspace and External IdP?

leenmin-aws commented 3 months ago

We are also not actively supporting Cognito identity pools. The primary identity provider being supported at the time of writing is Okta

avihuCohenAllCloud commented 3 months ago

Ok, I see. Is there a plan to support Cognito and Google Workspace soon?

leenmin-aws commented 3 months ago

There is a plan to actively support more identity providers in the future, but I'm not aware of dates set for this currently

andrewjohnsonstorable commented 1 month ago

We were able to get Google idp working by picking Cognito instead of Okta via the cli scripts and figuring out the rest on the google side. When we tried adding options for google to this code base it didn't quite get it right; something must be missing deeper in the code besides scopes.