Restrict auth to specific Google groups returning Invalid Account

[andrehluizsilva]

We are using the oauth2_proxy running in Kubernetes to authenticate google user with Kibana application. We manage to authenticate using only the -email-domain flag and -authenticated-emails-file. But after we add the flags -google-admin-email and -google-group and -google-service-account-json we started receiving 403 Permission Denied - Invalid Account.

We follow the steps for configuration the admin account and the service account but its with no success on authenticate after the change, there is a way to identify and Debug this process to find the root cause ?

Here are the parameters used in the chart:

• "oauth2_proxy"
• "-http-address=0.0.0.0:80"
• "-custom-templates-dir=/etc/oauth2-templates"
• "-upstream={{ .Values.upstream }}"
• "-htpasswd-file=/etc/oauth2/htpasswd" {{- range .Values.emailDomains }}
  • "-email-domain={{- . }}" {{- end }}
• "-authenticated-emails-file=/etc/oauth2/authenticated_emails_file"
• "-cookie-secret={{ .Values.cookieSecret }}"
• "-provider=google"
• "-google-admin-email={{ .Values.googleAdminEmail }}" {{- range .Values.googleGroups }}
  • "-google-group={{- . }}" {{- end }}
• "-google-service-account-json=/etc/oauth2/google-service-account.json"

[andrehluizsilva]

We found the problem. It was related to the permissions on google service account that was setup with https://www.googleapis.com/auth/admin.directory.group and not .readonly option.

We changed the permissions and the group worked.