Open epot opened 5 years ago
I think we are looking at two approaches to this: 1) creating a bridge doc for quickstart->prod 2) creating a mock authenticator so our quickstart could have group support.
Oh ok, this is a known issue. I am not sure I understand why we need to mock something or have a different behavior, could you enlighten me? Thanks!
@danbf matbe I was not clear but I am actually trying to tune quickstart to get it to talk to google to fetch the groups. The oauth2 part works fine, but not when I try to get the groups.
I think what @danbf is saying is that the quickstart isn't setup for sso-proxy
to be able to talk to sso-auth
out-of-the-box, so group support is "broken".
Any chance there is an ETA on this one? Or some doc that would help me workaround this issue? Thanks!!
Hi @epot, we currently only support Google Groups based authorization. To set that up you would need to set up a Google service account. Instructions can be found here. Please let us know if this helps, or if there's anything in the documentation that might clarify things better.
I think that is the doc I followed before hitting this issue :S.
To clarify, the quickstart itself does not have support out of the box to use google groups without having a user set up and enable the Google Admin SDK.
After setting up and enabling the Admin SDK for the Google groups, can you make sure that you have the GOOGLE_SERVICE_ACCOUNT_JSON
environment variable, which would be the path to the json file that contains your google service account credentials to be able to use the Google Admin API, and the GOOGLE_ADMIN_EMAIL
environment variable?
@shrayolacrayon I'm also having issues setting it up, perhaps because I never had GSuite admin access, and it is hard to explain to the person with admin account what is needed.
The documentation is a bit ambiguous, for example what should be in GOOGLE_ADMIN_EMAIL
? Is it the client_email
field from the json file, or something else?
For controlling the access are we using the google groups, or there are some other groups that google has that are not visible to me - non-admin?
@takeda, the GOOGLE_ADMIN_EMAIL
field would be different from the contents of json file. It would be an administrative email address on your organization's domain, the identity of which can be assumed by sso
.
I see, it started working for me after I fixed it, thank you.
My concern though is that what you said it is assuming identity of that user. Why not identity of the service account? I'm assuming sso-auth still can only read groups and users and nothing more, but the access will appear in audit log as the user defined in GOOGLE_ADMIN_EMAIL
?
Describe the bug I am trying to validate that the user belongs to a given group with Google authentication. I am getting this error in the proxy logs:
"couldn't fetch user groups
.I enhanced the logs a bit and now see:
couldn't fetch user groups (Get http://sso-auth.localtest.me/profile?client_id=balblablaemail=email%40inja\u0026groups=stuff: dial tcp 127.0.0.1:80: connect: connection refused)
To Reproduce I added this in my upstreams config:
Desktop (please complete the following information):