boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

OIDC support for Google Provider groups

Open praneshkumarkn1 opened this issue 2 years ago • 10 comments

Support for Google as OIDC provider in boundary auth_methods

I can see okta, Auth0, and Azure AD as OIDC providers for implementing authentication for boundary

I tried to set up following the similar steps mentioned for other auth providers

Authentication through google is successful but I am unable to move further with Authorization part.

Below are the JWT iam getting from uri

token_claims:
{
"at_hash": "XXXXXXXXXXXX",
"aud": "XXXXXXXXXXXX",
"azp": "XXXXXXXXXXXX",
"email": "XXXXXXXXXXXX",
"email_verified": true,
"exp": XXXXXXXXXXXX,
"family_name": "XXXXXXXXXXXX",
"given_name": "XXXXXXXXXXXX",
"hd": "XXXXXXXXXXXX",
"iat": XXX,
"iss": "https://accounts.google.com",
"locale": "en",
"name": "XXXXXXXXXXXX",
"nonce": "XXXXXXXXXXXX",
"picture": "XXXXXX",
"sub": "XXXXXXXXXXXX"
}
userinfo_claims:
{
"email": "XXXXXXXXXXXX",
"email_verified": true,
"family_name": "XXXXXXXXXXXX",
"given_name": "YYY",
"hd": "XXX",
"locale": "en",
"name": "YYYY",
"picture": "https://XXXXXXXXXXXX",
"sub": "XXXXXXXXXXXX"
}

In my JWT i am not able to see fetch_groups or group_claims config like vault.

Is there any known solution or an article to solve my issue

Thanks in Advance!

praneshkumarkn1 avatar Mar 30 '23 12:03 praneshkumarkn1

Probably should ask on https://discuss.hashicorp.com/ first

macmiranda avatar Mar 30 '23 13:03 macmiranda

Hi @praneshkumarkn1, we currently don't have the support for Google OIDC group information implemented yet, will add this to our backlog and leave the ticket open for community interest.

xingluw avatar Mar 30 '23 14:03 xingluw

Hi @xingluw,

just to clarify, is this not what @praneshkumarkn1 is asking for?

macmiranda avatar Mar 30 '23 15:03 macmiranda

That's correct, Vault supports it but Boundary does not yet

xingluw avatar Mar 30 '23 19:03 xingluw

🤭 Wrong project!

macmiranda avatar Mar 30 '23 20:03 macmiranda

@macmiranda Is there any way I can use google's workspace group information and map it to boundary-managed groups in oidc authentication flow?

If a user belongs to admin group in Google workspace he must be mapped to "admin" group using the filter

image

I have been looking for each and every article but could'nt find it anywhere. Any help on a workaround is also much appreciated

Thanks !!!

Probably should ask on https://discuss.hashicorp.com/ first

I have already asked this in discuss forum aswell

praneshkumarkn1 avatar Mar 31 '23 06:03 praneshkumarkn1

Hi @praneshkumarkn1 ,

For the time being, you'll need something in between Boundary and Google API that can expose the groups as OIDC claims, e.g. DeX

macmiranda avatar Mar 31 '23 06:03 macmiranda

@macmiranda Okay Thanks, Will check it out

praneshkumarkn1 avatar Mar 31 '23 06:03 praneshkumarkn1

I haven't tried it but Vault can also work as an OIDC Provider. Just not sure if can do the same thing as Dex connectors:

A "connector" is a strategy used by dex for authenticating a user against another identity provider. Dex implements connectors that target specific platforms such as GitHub, LinkedIn, and Microsoft as well as established protocols like LDAP and SAML.

Something for a little experiment.

macmiranda avatar Mar 31 '23 07:03 macmiranda

@praneshkumarkn1 I am a bit late but we have faced exact same issue.

The way we solved it was automating it.

We built a little CLI that use a Google Service Account to get the groups from Google Workspace (Admin Console) and sync them through Boundary's API following authotitative way

This way, you have some groups in Boundary that are always synced with some Gsuite groups

Enjoy it 😊

https://github.com/freepik-company/bgos

achetronic avatar May 03 '24 22:05 achetronic