danbf
commented
5 years ago I think we are looking at two approaches to this: 1) creating a bridge doc for quickstart->prod 2) creating a mock authenticator so our quickstart could have group support.
Open epot opened 5 years ago
danbf
commented
5 years ago I think we are looking at two approaches to this: 1) creating a bridge doc for quickstart->prod 2) creating a mock authenticator so our quickstart could have group support.
epot
commented
5 years ago Oh ok, this is a known issue. I am not sure I understand why we need to mock something or have a different behavior, could you enlighten me? Thanks!
epot
commented
5 years ago @danbf matbe I was not clear but I am actually trying to tune quickstart to get it to talk to google to fetch the groups. The oauth2 part works fine, but not when I try to get the groups.
mreiferson
commented
5 years ago I think what @danbf is saying is that the quickstart isn't setup for sso-proxy to be able to talk to sso-auth out-of-the-box, so group support is "broken".
epot
commented
5 years ago Any chance there is an ETA on this one? Or some doc that would help me workaround this issue? Thanks!!
shrayolacrayon
commented
5 years ago Hi @epot, we currently only support Google Groups based authorization. To set that up you would need to set up a Google service account. Instructions can be found here. Please let us know if this helps, or if there's anything in the documentation that might clarify things better.
epot
commented
5 years ago I think that is the doc I followed before hitting this issue :S.
shrayolacrayon
commented
5 years ago To clarify, the quickstart itself does not have support out of the box to use google groups without having a user set up and enable the Google Admin SDK.
After setting up and enabling the Admin SDK for the Google groups, can you make sure that you have the GOOGLE_SERVICE_ACCOUNT_JSON environment variable, which would be the path to the json file that contains your google service account credentials to be able to use the Google Admin API, and the GOOGLE_ADMIN_EMAIL environment variable?
takeda
commented
5 years ago @shrayolacrayon I'm also having issues setting it up, perhaps because I never had GSuite admin access, and it is hard to explain to the person with admin account what is needed.
The documentation is a bit ambiguous, for example what should be in GOOGLE_ADMIN_EMAIL? Is it the client_email field from the json file, or something else?
For controlling the access are we using the google groups, or there are some other groups that google has that are not visible to me - non-admin?
shrayolacrayon
commented
5 years ago @takeda, the GOOGLE_ADMIN_EMAIL field would be different from the contents of json file. It would be an administrative email address on your organization's domain, the identity of which can be assumed by sso.
takeda
commented
5 years ago I see, it started working for me after I fixed it, thank you.
My concern though is that what you said it is assuming identity of that user. Why not identity of the service account? I'm assuming sso-auth still can only read groups and users and nothing more, but the access will appear in audit log as the user defined in GOOGLE_ADMIN_EMAIL?
Describe the bug I am trying to validate that the user belongs to a given group with Google authentication. I am getting this error in the proxy logs:
"couldn't fetch user groups.I enhanced the logs a bit and now see:
couldn't fetch user groups (Get http://sso-auth.localtest.me/profile?client_id=balblablaemail=email%40inja\u0026groups=stuff: dial tcp 127.0.0.1:80: connect: connection refused)To Reproduce I added this in my upstreams config:
Desktop (please complete the following information):