Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google OIDC doesn't support groups scope #557

Closed
tomwardill-payoneer opened this issue Aug 4, 2023 · 3 comments · Fixed by #558 or #560
Closed

Google OIDC doesn't support groups scope #557

tomwardill-payoneer opened this issue Aug 4, 2023 · 3 comments · Fixed by #558 or #560

Comments

@tomwardill-payoneer
Copy link
Contributor

The OIDC provider for Google doesn't support the groups scope` and will prevent login using an OAuth flow if it is requested:

Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.profile], invalid=[groups]} 

I'm not sure if the groups concept is fundamental, or it can somehow be empty if Google is used, or if there is an alternative.

@leg100
Copy link
Owner

leg100 commented Aug 4, 2023

No, not fundamental. It can probably be dropped. I think I had the idea that it could be used in future for synchronizing groups/teams. But if Google is anything to by, it is far from a de facto standard.

I'll either drop it or make the scopes configurable, or both.

Thanks for the bug report. I'll fix it shortly.

leg100 added a commit that referenced this issue Aug 5, 2023
leg100 pushed a commit that referenced this issue Aug 5, 2023
🤖 I have created a release *beep* *boop*
---


## [0.1.7](v0.1.6...v0.1.7)
(2023-08-05)


### Bug Fixes

* remove unused `groups` OIDC scope
([#558](#558))
([3dd465a](3dd465a)),
closes [#557](#557)


### Miscellaneous

* chromium bug fixed ([#559](#559))
([87af2c7](87af2c7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@pat-s
Copy link
Contributor

pat-s commented Aug 5, 2023

Interesting. I know some OIDC providers (e.g. Keycloak or Azure OIDC) which rely on the groups scope and for which we are using it actively to gather group information.
Quite surprising that Google even blocks it - is there any more information why this is happening? @tomwardill-payoneer

@tomwardill-payoneer
Copy link
Contributor Author

@pat-s groups isn't part of the core spec, it's an optional part of the standard that not everyone implements. I wasn't able to find an official citation from google, but argoproj/argo-cd#1195 is the same issue.

Looks like there are some workarounds with either hidden scopes, or a differently named scoped: hashicorp/vault-plugin-auth-jwt#83

But as it stands, the raw groups scope request won't work.

@leg100 appreciate the quick fix, will have a look at this today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants