-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google SSO nested groups #8122
Comments
This is confirmed. Groups do not have upward expansion. i.e Members of the child group will not have parent group membership passed to Teleport. |
Reproduction steps:
In the above scenario, Important note: Google makes it explicit that
|
Attempted to solve this a little while ago and ran into some issues.
Then this import chain error happens:
etcd is stuck on an old version of A big dependency update pass is probably in order since this isn't the only wierd dep-issue. |
This is relevant to our interests |
A working (draft) implementation is available in #9697; the new functionality relies on the Both rely on the same exact setup: an OAuth 2.0 client id and a service account with domain-wide delegation for a read-only scope ( The Cloud Identity API has some extra licensing requirements: the member being checked must be licensed for Google Workspace Enterprise or for Cloud Identity Premium (at least in theory - maybe it's an effect of our current free trial but even a brand new account with no licenses seems to be successful in calling the API). The draft implementation adds an extra boolean option to the OIDC connector resource, to select between the Directory API that we're already using - which only returns direct group memberships and requires specifying a workspace admin user to impersonate - and the Cloud Identity API - which always returns transitive group memberships, depending on the configuration can either impersonate the user that's logging in or a workspace admin, and might require extra licensing. This will require more documentation to explain the difference between the two options but has perfect backwards compatibility with existing configurations; alternatively we could only support the new API starting from version 9 and mention the new requirements in the upgrade guide. |
Yeah, but not sure if we want to rely on that, might get swapped out on us at any moment. |
Description
Google nested group are not expanded when fetching groups using our oauth code
TLDR: when user is a member of a group that is a subgroup of another gmail, it’s not reflected in the groups arriving in SSO.
The text was updated successfully, but these errors were encountered: