Support for group claims in GSuite

[adongy]

Hi,

This plugin allows mapping group claims to multiple Vault policies. However, the GSuite OIDC flow does not provide a groups claim when requested.

The configuration does not list a groups claim, nor is it an available scope on https://developers.google.com/identity/protocols/OpenIDConnect .

By trying around, you can discover a hidden scope https://www.googleapis.com/auth/userinfo.groups but nothing appears on the /userinfo endpoint when given access.

Other applications seem to fetch groups through the google API instead, with a service account impersonating a GSuite admin:

• Spinnaker https://www.spinnaker.io/setup/security/authorization/google-groups/
• Teleport Fetch groups for GSuite SSO. gravitational/teleport#2456 https://github.com/gravitational/teleport/pull/3122/files

Is it possible to consider adding support for GSuite OIDC, or should it be separated into another Vault plugin? If so, I can try to provide an initial implementation.

Thanks,

[kalafut]

Hi,

Thanks for the issue write-up and useful links. Getting groups from GSuite has regularly popped up on the mailing list since OIDC support was added. There are some workarounds using other systems in the middle, but built-in GSuite support hasn't been specifically reviewed.

The big decision is where such code would live. The OIDC plugin and setup is already complex, though so far it has been kept provider agnostic. On the other hand, a separate plugin immediately introduces a maintenance cost, and in total the code is probably 98% the same.

I'll discuss some options with the team.

[sergkondr]

Hello @kalafut. Do you have any updates about this issue?

[kalafut]

@sergkondr We're leaning towards keeping vendor-specific code within this repo, though the details of managing the configuration UX is still TBD. This is definitely something we're interested in getting in... just need to fit in in the schedule.

[dharavahini]

@kalafut Do you have any update on issue ? can you please provide detail steps to set up groups_claim to use groups that are in the google organization for access management?

[kalafut]

Hi @dharavahini . Unless something on the GSuite side has changed, the extra API step that this PR adds is still required. There is work taking place now to get this and the related Azure PR in.

[dharavahini]

@kalafut Thank you .can we create the internal group and map users to the group for OIDC auth method ?

[cucxabong]

Any news on this PR

[ademariag]

@kalafut could you please also share the suggested workarounds?