Comments (6)
I believe this is a limitation on the Google API.
The way this works is by using a Google service account within your GSuite. You give this service account two permissions, one to read the group's within your organisation and one to read the users within your org.
The problem here is that the service account doesn't have permission to read users outside of your org and throws this error.
If I remember correctly the reason we have to look up users is to find their ID as when you retrieve a Group, it doesn't contain user emails but rather the user IDs as members.
If I'm wrong on that (or things have changed) then we may be able to rewrite the group checking mechanism in providers/google.go
and fix this issue.
Will need some digging into the Google Admin API documentation!
from oauth2-proxy.
Hi Joel,
I tried out the the idea of the API being the limiting factor, so I checked the group membership using GAM with the print group-members. It did return all users in the group, even those with an @gmail.com address.
My knowledge with using the API is rather limited, but I think we just need oauth2_proxy to use a different request with a different API scope.
from oauth2-proxy.
Ok that sounds like good news to me, we may be able to fix this!
Do you happen to have an example of the API request you made and a maybe even a sample response? Might help us to find the right implementation from the SDK
from oauth2-proxy.
I can't find exactly which API call GAM uses when doing the "gam print group-members" command, but I think it might be using this one.
It looks like they also have this one, that returns a true/false if the user is a member of the group. This may be an easier one to implement.
from oauth2-proxy.
@KSchmeeds hasMember seems not working for outside of the domain but get
is working. See:
https://developers.google.com/admin-sdk/directory/v1/reference/members/get?apix=true
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Related Issues (20)
- [Support]: nginx + oauth2-proxy, logout configuration
- [Feature]: options for add files in /oauth2/static/ HOT 4
- [Feature]: Guides for rauthy and/or authelia
- [Bug]: Unable to use hyphen in JSON path for oidc-groups-claim option
- [Bug]: Invalid authentication via OAuth2 via Github for the owner of the organisation HOT 8
- [Bug]: Possible typo in source code for static upstreams HOT 2
- [Bug]: Incomplete source of request urls for skip_auth_routes feature
- [Bug]: Redirect after second google login to home page not working
- [Support]: 401 Authorization Required even finished authentication HOT 1
- [Feature]: use username (or any other attribute from the provider) in basic auth header instead of the ID
- [Feature]: JWT validation only mode HOT 8
- [Bug]: An invalid redirect to a non-whitelisted domain creates a valid session cookie after redirecting to "/"
- Pass bearer token to the backend with nginx
- [Support]: Multi-Domain Forward-Auth with Traefik/k3s
- [Feature]: [Azure] Support certificate-based flow for requesting access token HOT 1
- [Feature]: Support for dry-run
- [Support]: failed to verify id token signature
- [Bug]: Setting `proxy-prefix` in helm seems to break login
- [Bug]: Azure provider: problem with ProfileURL/ userInfoURL (duplicate of closed issue #2162 )
- [Support]: <Keycloak-OIDC failed> HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.