search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.14k stars 828 forks source link

Feat: pull in Google Workspace groups via Directory API #5987

Open rknightion opened 1 year ago

rknightion commented 1 year ago

Is your feature request related to a problem? Please describe. When using Google OIDC for delegated auth (so our users log into Authentik via Google Workspace creds), user data populates successfully but Groups data is not pulled in (even if specifying the claim). This is due to Google's OIDC with Google Workspace not supporting the Groups claim. To pull in groups data clients have to pull this in from the google directory/admin API

Describe the solution you'd like Enhancing the Google OIDC connector that when supplied with Service Account credentials (that users have enabled Domain wide delegation for in Google Workspace), Groups data is either added to the JWT or imported into Authentik directly and mapped to users (and updated if their groups change upon next login).

There's a few examples out there of other OIDC connectors doing this. Most notable is Dex (https://dexidp.io/docs/connectors/google/#fetching-groups-from-google) that uses the above mentioned method to supplement the user data with Groups information. Hashicorp vault is another one

Oauth2-proxy also has a similar implementation in Go https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/google.go

Describe alternatives you've considered A potential interim workaround is to set up Dex and have authentik authenticate against Dex with Dex passing through to Google with the hope that Dex passes through the Groups claim data to Authentik so our groups in Authentik match what's in our Google Workspace IDP. If I prove this out as successful/workable and there's interest in it I can fire off a PR for setup docs.

Additional context Many organisations that use Google Workspace as an IDP (which I agree is generally bad) would benefit from Authentik supporting group data import. Our main use case for Authentik is as a more feature complete IDP than Google Workspace we gain things like SCIM, LDAP, Radius etc that Google Workspace has no support for (its SCIM implementation is horiffic) without having to migrate the user database or migrate users to a new system.

Thanks for the awesome work on Authentik!

rknightion commented 1 year ago

I did try with Dex in the middle but it appears I'm now blocked by https://github.com/goauthentik/authentik/issues/5231 as returned groups from an upstream social login doesn't get stored anywhere in Authentik by default that I can tell. Unless there's a way with expressions to create/update the groups in authentik that i'm missing?