search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.82k stars 278 forks source link

OIDC support for Google Provider groups #3132

Open praneshkumarkn1 opened 1 year ago

praneshkumarkn1 commented 1 year ago

Support for Google as OIDC provider in boundary auth_methods

I can see okta, Auth0, and Azure AD as OIDC providers for implementing authentication for boundary

I tried to set up following the similar steps mentioned for other auth providers

Authentication through google is successful but I am unable to move further with Authorization part.

Below are the JWT iam getting from uri

token_claims:
{
"at_hash": "XXXXXXXXXXXX",
"aud": "XXXXXXXXXXXX",
"azp": "XXXXXXXXXXXX",
"email": "XXXXXXXXXXXX",
"email_verified": true,
"exp": XXXXXXXXXXXX,
"family_name": "XXXXXXXXXXXX",
"given_name": "XXXXXXXXXXXX",
"hd": "XXXXXXXXXXXX",
"iat": XXX,
"iss": "https://accounts.google.com",
"locale": "en",
"name": "XXXXXXXXXXXX",
"nonce": "XXXXXXXXXXXX",
"picture": "XXXXXX",
"sub": "XXXXXXXXXXXX"
}
userinfo_claims:
{
"email": "XXXXXXXXXXXX",
"email_verified": true,
"family_name": "XXXXXXXXXXXX",
"given_name": "YYY",
"hd": "XXX",
"locale": "en",
"name": "YYYY",
"picture": "https://XXXXXXXXXXXX",
"sub": "XXXXXXXXXXXX"
}

In my JWT i am not able to see fetch_groups or group_claims config like vault.

Is there any known solution or an article to solve my issue

Thanks in Advance!

macmiranda commented 1 year ago

Probably should ask on https://discuss.hashicorp.com/ first

xingluw commented 1 year ago

Hi @praneshkumarkn1, we currently don't have the support for Google OIDC group information implemented yet, will add this to our backlog and leave the ticket open for community interest.

macmiranda commented 1 year ago

Hi @xingluw,

just to clarify, is this not what @praneshkumarkn1 is asking for?

xingluw commented 1 year ago

That's correct, Vault supports it but Boundary does not yet

macmiranda commented 1 year ago

🤭 Wrong project!

praneshkumarkn1 commented 1 year ago

@macmiranda Is there any way I can use google's workspace group information and map it to boundary-managed groups in oidc authentication flow?

If a user belongs to admin group in Google workspace he must be mapped to "admin" group using the filter

image

I have been looking for each and every article but could'nt find it anywhere. Any help on a workaround is also much appreciated

Thanks !!!

Probably should ask on https://discuss.hashicorp.com/ first

I have already asked this in discuss forum aswell

macmiranda commented 1 year ago

Hi @praneshkumarkn1 ,

For the time being, you'll need something in between Boundary and Google API that can expose the groups as OIDC claims, e.g. DeX

praneshkumarkn1 commented 1 year ago

@macmiranda Okay Thanks, Will check it out

macmiranda commented 1 year ago

I haven't tried it but Vault can also work as an OIDC Provider. Just not sure if can do the same thing as Dex connectors:

A "connector" is a strategy used by dex for authenticating a user against another identity provider. Dex implements connectors that target specific platforms such as GitHub, LinkedIn, and Microsoft as well as established protocols like LDAP and SAML.

Something for a little experiment.

achetronic commented 1 month ago

@praneshkumarkn1 I am a bit late but we have faced exact same issue.

The way we solved it was automating it.

We built a little CLI that use a Google Service Account to get the groups from Google Workspace (Admin Console) and sync them through Boundary's API following authotitative way

This way, you have some groups in Boundary that are always synced with some Gsuite groups

Enjoy it 😊

https://github.com/freepik-company/bgos