stevvooe
commented
5 years ago @SP3269 Did you run it successfully with the reduced scope? The docs aren't super clear on the difference.
Open SP3269 opened 5 years ago
stevvooe
commented
5 years ago @SP3269 Did you run it successfully with the reduced scope? The docs aren't super clear on the difference.
SP3269
commented
5 years ago Agree, the documentation is suboptimal!
Ok, this is not only the doco change. In the gsuite/grouper.go:73, the admin.directory.group.member.readonly if specifically requested:
config, err := google.JWTConfigFromJSON(b, admin.AdminDirectoryGroupMemberReadonlyScope, admin.AdminDirectoryGroupReadonlyScope)
The Members function is using only one directory API of the G Suite Admin SDK - Members: list. Per Google documentation, that requires one of the scopes:
Previously, we only used https://www.googleapis.com/auth/admin.directory.group.readonly for similar purpose integrating Spinaker and Artifactory with G Suite, thus raising this issue.
Should I send PR?
stevvooe
commented
5 years ago Should I send PR?
Yea, that's fine but I don't have a good way to test this.
stevvooe
commented
5 years ago @SP3269 I've added this to the 1.2 milestone, so we'll get it fixed in the release after next. I'll be releasing 1.1 in short order, so we'll have to wait on that one.
Thanks for pushing this one forward!
The https://www.googleapis.com/auth/admin.directory.group.member.readonly scope is not needed to query group membership. Remove from the doco?