Explore non-claims based group/org/role sync alternatives (Google, GitHub)

[deansheather]

SSO providers such as Google Workspace and GitHub do not provide a groups claim and requires a separate API request or something to get the users groups for features like group sync.

Let's explore what it would take for us to hardcode group sync for specific providers and start with support for Google and GitHub since this is a milestone feature for governance. This will also allow us to use our dev environment for take homes, as we can sync people to organizations based on their GitHub org (e.g. coder-contrib adds people to the take home org).

Requirements

Must have

• First-class support for group/role/organization sync based on groups in Google Workspace

Should have

Added GitHub here so that we can support this in our take-home envs and also validate the abstraction if we must support other OIDC providers down the road.

• First-class support for group/role/organization sync based on organizations in GitHub

Old description

Google Workspace doesn't support adding a groups claim to auth tokens, which means Google groups cannot be synced to Coder. However, there's a non-standard API you can use (with a corresponding scope) to retrieve groups information.

Coder could support Google sign-in better if it detected a Google OIDC config (with the correct scope necessary) and automatically made the request to fetch group information.

[matifali]

I was recently working on a Vault OIDC integration with Google and noticed that the groups oidc field was always empty.

[bpmct]

Moved GitHub to "should have" as it's not strictly a customer requirement but seems like it'd be beneficial to users down the road, and for our dogfooding cc @deansheather @sreya

[matifali]

For GitHub, it would be nice if we can also read team memberships to assign users to groups.

[Emyrk]

I am unfamiliar with Google workspaces. Would the implementation be similar to @matifali's Github suggestion?

As in, Coder would detect a specific SSO (github, google, etc), and make a SSO specific API request to fetch some user attributes.

Then we use these new attributes in place of an OIDC claim for org/group/role sync?

I think I will need to get a google workspace trial or license to verify this specific functionality. If my initial understanding is correct, the largest challenge I can see is how we configure this.

The configuration sounds like it could be SSO specific. Meaning, the Github config options would look different than Google, etc. Just unsure how this transform would look.

[bpmct]

As in, Coder would detect a specific SSO (github, google, etc), and make a SSO specific API request to fetch some user attributes.

Yeah I think we'd have to do that for these outlier, non-claims style SSO.

I think I will need to get a google workspace trial or license to verify this specific functionality. If my initial understanding is correct, the largest challenge I can see is how we configure this.

We are Google Workspace users and have it set up with dev.coder.com so we can dogfood. @kylecarbs may be able to help with admin-side things.

The configuration sounds like it could be SSO specific. Meaning, the Github config options would look different than Google, etc. Just unsure how this transform would look.

👍🏼

[bpmct]

FYI we were originally targeting the November release, but it looks like it may be more complex so it may go into the December release.