dex
dex copied to clipboard
dexidp
feat: allow Workload Identity Federation for Google connector
Overview
- A new Google connector option have been introduced, i.e.,
serviceAccountToImpersonate. If this field is non-empty, it is assumed that Workload Identity Federation shall be used, and the linked service account needs to be configured for domain-wide delegation. Moreover, the service account used for Workload Identity Federation must includeService Account Token Creatorfor this service account. - Print some warnings if the configuration is not consistent or erroneous.
- Fix fetching groups to rely on
groupsas scope. In the casegroupsis specified as a scope, the oauth authentication call will fail as Google doesn't support it. Moreover, as fetching groups requires the group directory service, it is enough to assume the existence of this service as a prerequisite for the fetch. If 'groups' is specified as a scope, a warning is printed, instead of erroring out, for backwards compatibility reasons. - When specifying
groupsin the configuration, but no group directory service will be created, a warning is printed that the groups configuration will be ignored.
What this PR does / why we need it
The code doesn't support Workload Identity Federation so far. Workload Identity Federation enables interaction with Google services without requiring to provide any sensitive credential data on the caller side, c.f. here.
Special notes for your reviewer
Does this PR introduce a user-facing change?
* A new Google connector option have been introduced, i.e.,
"serviceAccountToImpersonate". If this field is non-empty, it is
assumed that Workload Identity Federation shall be used, and the
linked service account needs to be configured for domain-wide
delegation. Moreover, the service account used for Workload Identity
Federation must include "Service Account Token Creator" for this
service account.
* Print some warnings if the configuration is not consistent or erroneous.
* Fix fetching groups to rely on "groups" as scope. In the case "groups"
is specified as a scope, the oauth authentication call will fail as
Google doesn't support it. Moreover, as fetching groups requires the
group directory service, it is enough to assume the existence of this
service as a prerequisite for the fetch. If "groups" is specified as a
scope, a warning is printed, instead of erroring out, for backwards
compatibility reasons.
* When specifying "groups" in the configuration, but no group directory
service will be created, a warning is printed that the groups
configuration will be ignored.
@nabokihms I know that you guys are very busy, but this feature is very important for us. Therefore, can I support the progress here somehow?
I've manually tested this PR and it works fine. It also fixes: https://github.com/dexidp/dex/issues/3348
It would be great if it was merged.
Please consider using the Cloud Identity API for the groups. This great project by @jkroepke has a PR open for it and it works like a charm. It's no longer necessary to use a service account and/or domain admin email to impersonate.
https://github.com/jkroepke/openvpn-auth-oauth2/pull/196
Please consider using the Cloud Identity API for the groups.
You can use the token of the users access token with scope https://www.googleapis.com/auth/cloud-identity.groups.readonly to fetch the groups, without an additional identity.
Some credits: https://github.com/grafana/grafana/blob/110028706a160af8c66672d06554f616d660d82c/pkg/login/social/connectors/google_oauth.go#L242-L298
API docs: https://cloud.google.com/identity/docs/reference/rest/v1beta1/groups.memberships/searchDirectGroups
