Login with Google OIDC always redirect to login page

[phuc-nguyen2-ts]

I deploy akhq onto my K8s cluster via Helm chart this is my config for the Google OAuth2 method

akhq:
    security:
      roles:
        topic-reader:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "READ" ]
          - resources: [ "TOPIC" ]
            actions: [ "READ_CONFIG" ]
        topic-writer:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "CREATE", "UPDATE" ]
          - resources: [ "TOPIC" ]
            actions: [ "ALTER_CONFIG" ]
      default-group: no-roles
      groups:
        topic-reader:
          - role: topic-reader
            patterns: [ ".*" ]
        topic-writer-clusterA-projectA:
          - role: topic-reader
            patterns: [ "projectA.*" ]
          - role: topic-writer
            patterns: [ "projectA.*" ]
            clusters: [ "clusterA.*" ]
        acl-reader-clusterA:
          - role: acl-reader
            clusters: [ "clusterA.*" ]
      oidc:
        enabled: true
        providers:
          google:
            label: "Login with Google"
            username-field: email
            default-group: no-roles
            users:
              - username: "username@company.com"
                groups:
                  - topic-reader
                  - topic-writer-clusterA-projectA
                  - acl-reader-clusterA
  micronaut:
    security:
      enabled: true
      oauth2:
        clients:
          google:
            client-id: xxxxx
            client-secret: xxxxx
            openid:
              issuer: https://accounts.google.com
        enabled: true
      token:
        jwt:
          signatures:
            secret:
              generator:
                secret: xxxxx

I don't know where I configured wrong but I always get redirected to login page, please correct me!!! I use the latest version: 0.24.0

[fedeostrit]

Hi @phuc-nguyen2-ts , I have the same error that you indicate, I have the OIDC configuration for Google and when I try to log in it takes me back to the home page

This happens because for me it cannot validate that the user who logs in belongs to the Google group, which is what the application would have to do, try to log in to Google and see if the user who logged in belongs to the XXX group that one indicate and then give them the roles in the app with the akhq group

  akhq:
    security:
      oidc:
        enabled: true
        providers:
          oidc:
            label: "Login with Google"
            username-field: email
            groups-field: roles
            default-group: no-roles
            groups:
              - name: devops
                groups:
                  - admin   

I do not generate any group or role, I only use the default group "admin"

If I change the default-group: no-roles to default-group: reader or default-group: admin, the login works but it is not what I want because precisely by not being able to validate the group, it is assigned a default admin or reader role, when You configure non-roles exactly as the config says, you make the user have to authenticate yes or yes but it doesn't work and it takes you back to the login, which is why I said before that it doesn't validate the groups in Google

@tchiotludo & @AlexisSouquiere I understand that everyone has this type of error and the documentation on the site is more I don't know if it is correct for version 0.24 since on the page you have a config and at https://github.com/tchiotludo/akhq/blob/ 0.24.0/application.example.yml you have other configs for example in "# Auth & Roles (optional)"

There is something wrong in the docu to make akhq validate that a user is in a Google group and if so, assign the corresponding permission; In my case it would be that if the user is in the "devops" group of Google then I assign him the permission of the admin group?

[fedeostrit]

Google OIDC does not send the groups in its response and it is not supported, for example DEX has solved this and ArgoCD uses it, https://dexidp.io/docs/connectors/google/ I don't know how you have it implemented in AKHQ but with only the login response or with the JWT it will not work because it does not come with it https://developers.google.com/identity/openid-connect/openid-connect?hl=es-419

After logging in, they would have to go check another Google API if the user belongs to the group.

[bigman3]

as @fedeostrit mentioned an extra api call is needed to fetch groups. Would it be possible to add support for google groups fetching via google groups directory api? it's done via extra service account @tchiotludo
it's a common use case...

thanks