Allow authentication via nested groups for Google OAuthenticator

[jrdnbradford]

Proposed change

Allow authentication via nested groups for Google OAuthenticator. Google Workspace now allows nested Google Groups, but the Google OAuthenticator has no option for allowing auth this way.

Who would use this feature?

This would be helpful for those who manage the IAM for many hubs.

Suggest a solution

I have a fork that implements this feature. The particular issues that need to be discussed are:

• backwards compatibility: ensuring those who upgrade don't all of the sudden have users who can login due to unanticipated group structures
• security: see backwards compatibility
• login experience: currently _fetch_user_groups has a FIXME related to it being non-asynchronous. Adding support for nested groups may exacerbate this a bit as it takes longer to determine membership given the Google API's current limitations

Most of this can be solved by required explicit opt-in with:

c.GoogleOAuthenticator.allow_nested_groups = True

If there's interest I can spruce up what I have and put in a PR for further discussion.

[consideRatio]

Makes sense!

I'm opinionated that we should let it default to False, making the more permissive choice be opt-in rather than opt-out.

Opening a PR makes sense in my mind.

An open question remains, what about google_admin_groups? I think it should also be influenced, but maybe not? Whats clear is that it should be considered and documented.

Also, if you can make the requests become async, its a separate improvement of relevance - PR welcome for that as well, but preferably separately from the other. I'll promise to get sync->async PR review done fast if you end up working that as well

[consideRatio]

I think the config name is great as well, i considered include_nested_groups as well but i lean towards your suggestion

[jrdnbradford]

I agree on it affecting admin groups as well, as long as it's obvious in the docs and requires explicit opt-in.

And actually I think I prefer your include_nested_groups more so than my allow_nested_groups 😆. allow in this context might indicate something that can happen but doesn't necessarily happen, whereas include makes it obvious that the nested structure matters. I'll put in a PR with my allow_nested_groups since you lean towards it, but I can update it if wanted.