Google SSO groups

[dmgeurts]

I've got Google SSO working, but G-Suite groups aren't being populated in Nextcloud. If I set the default group all users are linked to that. I'm trying to grant access to shared folders by group membership. If I login as a user, I can then assign groups in NC but I was expecting/hoping for the groups as created in Google Suite to come across and be added to NC in the same way the users are.

There's also an entry in the nexcloud.log file:

{"reqId":"NoBUMvRdEaFnd2g6lHNv","level":3,"time":"2021-05-23T19:54:53+00:00","remoteAddr":"192.168.1.84","user":"nc_admin","app":"PHP","method":"POST","url":"/apps/sociallogin/settings/save-admin","message":{"Exception":"Error","Message":"Invalid argument supplied for foreach() at /var/www/nextcloud/apps/sociallogin/lib/Controller/SettingsController.php#56","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/sociallogin/lib/Controller/SettingsController.php","line":56,"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":218,"function":"saveAdmin","class":"OCA\\SocialLogin\\Controller\\SettingsController","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":127,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":993,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","version":"21.0.2.1"}

And yes, I do have "Update user profile every login" enabled. And "Automatically create groups if they do not exist" too.

[zorn-v]

Groups works only with custom oauth/oidc providers.

[dmgeurts]

Ah, that's good to know. Any pointers on moving Google auth over to the custom OAuth2 fields? Currently looking at https://github.com/zorn-v/nextcloud-social-login/blob/master/3rdparty/hybridauth/hybridauth/src/Provider/Google.php

Getting this now: "Provider API returned an unexpected response.". What am I missing?

[zorn-v]

1. Better use OIDC if google support it (there field names more standardized)
2. Group claim is not what you specified on screenshot.
3. I don't know correct claim for google.

[dmgeurts]

First step is to get the auth to work, I removed the Groups claim field and the error is the same... I'll have a look at OIDC.

[zorn-v]

I don't know correct claim for google.

https://cloud.google.com/anthos/clusters/docs/on-prem/1.7/how-to/oidc-adfs?hl=it#before_you_begin Seems it name simple - groups (Group in 5.0) :smile:

[dmgeurts]

OIDC works right away, but the username comes up as a bunch of numbers. I guess the scope I've got set is wrong?

[zorn-v]

but the username comes up as a bunch of numbers

Such as in build-in google provider. Is "display name" filled correctly ?

[dmgeurts]

The built-in Google provider came up with the name just fine.

The Custom OpenID Connect has no "display name" field.

1. OIDC user
2. Local user
3. Built-in Google user

[zorn-v]

Seems google return digits in "name" field if login via OIDC. I'll increase priority for "preferred_username" (as it preferred). Check v4.6.3

[dmgeurts]

Thank you! I'll keep an eye out for a new release.

[dmgeurts]

Sadly v4.6.3 still resolves to numbers, I wonder if my config is correct...

[zorn-v]

Check v4.6.5

And if it also resolve numbers, can you insert print_r($profile);die(); somewere here (after $profile is filled) https://github.com/zorn-v/nextcloud-social-login/blob/1d5de3c4b355360032e881859e5754a0e58d418f/lib/Provider/CustomOpenIDConnect.php#L56-L57 to check what google returns

[dmgeurts]

Same result on v4.6.5, this is returned:

Hybridauth\Data\Collection Object ( [collection:protected] => stdClass Object ( [userinfo_profile] => ) )

[zorn-v]

Try to insert print_r($data); die(); here https://github.com/zorn-v/nextcloud-social-login/blob/1d5de3c4b355360032e881859e5754a0e58d418f/lib/Provider/CustomOpenIDConnect.php#L32-L33

[dmgeurts]

Output:

Hybridauth\Data\Collection Object ( [collection:protected] => stdClass Object ( [iss] => accounts.google.com [azp] => 627399176664-irkibqdl1oaa8hdja9ie9vo0b3f35fk1.apps.googleusercontent.com [aud] => 627399176664-irkibqdl1oaa8hdja9ie9vo0b3f35fk1.apps.googleusercontent.com [sub] => 108742873373764279187 [at_hash] => XK0wJYXR-ohnFitMJoTk0A [iat] => 1621928703 [exp] => 1621932303 ) )

[zorn-v]

As you can see, google just does not return username.

[dmgeurts]

But it does for the predefined Google Auth?

[dmgeurts]

I have Custom-OIDC login working now. I changed some of the URLs according to what I saw elsewhere and I had to disable the enforcement of special characters in passwords, which is odd. It would be good to bypass this check if possible.

The one thing that doesn't work yet is groups. adding {"roles": "admin,user"} (replacing the group names with what I have) doesn't make a difference. And have noticed that the email address doesn't get populated either.

The main thing changed is likely the User info URL: "https://www.googleapis.com/oauth2/v3/userinfo"

[dmgeurts]

Solved the email issue by adding a second scope:

https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email

Now trying to work out which scope I'm missing in the Google API config to get the group membership through

[zorn-v]

Possibly for groups needed some additional scope, as in your google response samples above there is no groups at all.

[dmgeurts]

Indeed, so far I've been unsuccessful with the following scopes:

https://www.googleapis.com/auth/groups https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly

[dmgeurts]

Groups works only with custom oauth/oidc providers.

Do group claims or mapping need to be set? If they do, then I'm not sure what "Automatically create groups if they do not exist" is meant to do...

[zorn-v]

Do group claims or mapping need to be set?

Yep, group claim is mandatory for this. And it must exists in provider response. And must be parsed correctly - has predefined format (as described in readme)

I'm not sure what "Automatically create groups if they do not exist" is meant to do...

If OIDC provider provide (return in response some claim that may be parsed according to settings) some groups, it will be automatically created in nextcloud if not exist (with provider prefix)

[dmgeurts]

If OIDC provider provide (return in response some claim that may be parsed according to settings) some groups, it will be automatically created in nextcloud if not exist (with provider prefix)

But if the claim specifies the groups, then new groups will never be matched? As they won't be in the claim...

How can I best debug if the provider returns group(s). I've tried many scopes so I want to make sure it's not something else, like the wrong type of Google Suite account etc.

[dmgeurts]

I think the problem may well be that I'm working with a Legacy GSuite account...