dex icon indicating copy to clipboard operation
dex copied to clipboard

Published 20 hours ago verified publisher icon dexidp

Unable to retrive Google Groups using GKE Workload Identity

Open jacek-jablonski opened this issue 1 year ago • 2 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • [X] I am not looking for support or already pursued the available support channels without success.

Version

2.38.0

Storage Type

In-memory

Installation Type

Official Helm chart

Expected Behavior

Retrieving Google Groups using configured GKE Workload Identity.

Actual Behavior

Dex is unable to start with error: failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse client secret file to config: unexpected end of JSON input

Steps To Reproduce

No response

Additional Information

This fails, because google.FindDefaultCredentials(...) (https://github.com/dexidp/dex/blob/master/connector/google/google.go#L363) executes successfully, but as docs say: JSON field may be nil when code is running on Google Cloud Platform (https://pkg.go.dev/golang.org/x/oauth2/google#Credentials). So empty JSON field is passed further to google.JWTConfigFromJSON(...) (https://github.com/dexidp/dex/blob/master/connector/google/google.go#L374) and causes fail.

Workload Identity is properly configured and verified by quering metadata server from dex pod.

Configuration

issuer: "https://dex.xxx/"

storage:
  type: memory

connectors:
  - type: google
    id: google
    name: Google
    config:
      clientID: $GOOGLE_OAUTH_CLIENT_ID
      clientSecret: $GOOGLE_OAUTH_CLIENT_SECRET
      redirectURI: https://dex.xxx/callback
      domainToAdminEmail: 
        xxx.com: [email protected]
      scopes:
        - openid
        - email
        - https://www.googleapis.com/auth/admin.directory.group.readonly
      claimMapping:
        - groups: https://www.googleapis.com/auth/admin.directory.group.readonly
      fetchTransitiveGroupMembership: true

Logs

No response

jacek-jablonski avatar Feb 12 '24 21:02 jacek-jablonski

This PR adds what is needed to make the above configuration work: https://github.com/dexidp/dex/pull/3170

jacek-jablonski avatar Feb 12 '24 22:02 jacek-jablonski

https://github.com/dexidp/dex/pull/2989 is another, somewhat simpler implementation of Workload Identity support, which has been open even longer than 3170.

irons avatar Mar 28 '24 21:03 irons