WIP for google group mapping - Githubissues

markbates / goth

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

https://blog.gobuffalo.io/goth-needs-a-new-maintainer-626cd47ca37b

MIT License

5.2k stars 566 forks source link

WIP for google group mapping #503

Closed jackHay22 closed 1 year ago

jackHay22 commented 1 year ago

Here is my current understanding of how we should organize Google workspace OIDC group mapping.

Process

If "groups" is provided as a scope to the Google Goth provider, recursively search for groups the user belongs to
Create a list of the groups and attach them to goth.User.RawData

The following code was added to Gitea by https://github.com/go-gitea/gitea/pull/21441:

func getClaimedGroups(source *oauth2.Source, gothUser *goth.User) container.Set[string] {
groupClaims, has := gothUser.RawData[source.GroupClaimName]
if !has {
    return nil
}

return claimValueToStringSet(groupClaims)
}

TODO

Where does source.GroupClaimName come from on the Goth side?
Do we use group.Email or group.Name? (Reference)
Authentication for admin service