firezone icon indicating copy to clipboard operation
firezone copied to clipboard
verified publisher icon firezone

Update directory sync to use service accounts instead of user token

Open jamilbk opened this issue 1 year ago • 3 comments

  • [x] #6489
  • [ ] #6490
  • [ ] #6491

jamilbk avatar Jul 22 '24 17:07 jamilbk

@bmanifold do you want to take care of the changes in providers you implemented or should I do that?

AndrewDryga avatar Aug 29 '24 19:08 AndrewDryga

I can update them. I've got an update I need to make to the Okta api client anyway.

bmanifold avatar Aug 29 '24 19:08 bmanifold

~~Actually for Google Workspace I think we can stick to personal tokens since they don't expire, and the service account requires an impersonation email anyhow.~~

Scratch that - we can keep the service account for auth, and just send an email to the org administrator to provision the service account for this and save the key.

jamilbk avatar Jun 10 '25 15:06 jamilbk

@jamilbk @bmanifold Is this still relevant with the idea of using a public app instead?

thomaseizinger avatar Sep 30 '25 09:09 thomaseizinger

Yeah this is still relevant:

  • Okta will use a service app the customer provisions in their tenant
  • Google will use our public service account
  • Entra won't use these - we can exchange an access token for the tenant with our public OAuth creds

jamilbk avatar Sep 30 '25 12:09 jamilbk